Why should I pin actions to a commit hash instead of a version tag?

Pinning to a commit hash is the most secure method because it is immutable, protecting your workflow from supply chain attacks where a version tag might be moved to point to malicious code.

Does this skill help with CodeQL compliance?

Yes, it specifically addresses common CodeQL alerts such as 'missing-workflow-permissions' and 'expression-injection-in-workflow' by providing standardized, safe alternatives.

How does this skill prevent GitHub Action injection attacks?

It identifies untrusted inputs like PR bodies or titles and provides patterns to wrap them in environment variables instead of using them directly in shell commands, preventing malicious scripts from being executed.

What is the 'least-privilege' principle for workflows?

It means explicitly defining only the minimum necessary GITHUB_TOKEN permissions (like contents: read) required for a job to function, rather than using default broad permissions that could be abused if a token is compromised.

GitHub Workflow Security Patterns

Name: GitHub Workflow Security Patterns
Author: JacobPEvans

byJacobPEvans

•

Seguridad y Pruebas

Implements secure, production-grade GitHub Actions workflows using canonical security patterns and CodeQL best practices.

This skill provides a comprehensive set of security-hardened patterns for GitHub Actions workflows, designed to prevent common vulnerabilities like expression injection and privilege escalation. It guides developers through implementing least-privilege permissions, secure secret handling, and shell safety (e.g., set -euo pipefail) while ensuring compliance with CodeQL security checks. Whether you're setting up a new CI/CD pipeline or auditing existing workflows, this skill helps mitigate risks by providing standard-compliant templates for artifact security, dependency pinning, and reusable workflow contracts.

Características Principales

012 GitHub stars

02Enforce least-privilege permissions blocks to limit the blast radius of tokens

03Automate dependency version pinning and checksum verification for toolchains

04Standardize shell safety using set -euo pipefail in multi-line scripts

05Mitigate expression injection by wrapping untrusted inputs in environment variables

06Implement secure secret handling and masking to prevent credential leakage

Casos de Uso

01Creating secure-by-default CI/CD pipelines for open-source repositories

02Hardening existing GitHub Actions workflows to pass CodeQL security audits

03Implementing complex reusable workflows with proper permission delegation

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add jacobpevans/claude-code-plugins github-workflow-security-patterns

For use in Claude.ai and ChatGPT

Características Principales

012 GitHub stars

02Enforce least-privilege permissions blocks to limit the blast radius of tokens

03Automate dependency version pinning and checksum verification for toolchains

04Standardize shell safety using set -euo pipefail in multi-line scripts

05Mitigate expression injection by wrapping untrusted inputs in environment variables

06Implement secure secret handling and masking to prevent credential leakage

Casos de Uso

01Creating secure-by-default CI/CD pipelines for open-source repositories

02Hardening existing GitHub Actions workflows to pass CodeQL security audits

03Implementing complex reusable workflows with proper permission delegation

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add jacobpevans/claude-code-plugins github-workflow-security-patterns

For use in Claude.ai and ChatGPT