What is SHA pinning in CI workflows?

SHA pinning replaces traditional version tags with specific immutable commit hashes to prevent supply chain attacks if a third-party action is compromised or updated maliciously.

How does this skill improve GITHUB_TOKEN security?

It implements job-level permissions to ensure each individual step in your workflow has only the absolute minimum access required to function, limiting the potential blast radius of a breach.

Can I use these templates for open-source projects?

Yes, the skill includes specific patterns for safe fork PR handling, ensuring that external contributors can run tests without gaining access to sensitive repository secrets.

Are there templates for specific programming languages?

Yes, the skill provides various language-specific variants that include relevant security scanning and build steps tailored for different development ecosystems.

Hardened CI Workflows

Name: Hardened CI Workflows
Author: adaptive-enforcement-lab

byadaptive-enforcement-lab

0•

デプロイメントとDevOps

Generates production-ready, security-hardened CI/CD workflow templates for GitHub Actions with integrated best practices.

This skill provides a comprehensive library of secure-by-default CI/CD templates designed to eliminate common vulnerabilities in GitHub Actions. It automates the implementation of critical security patterns such as SHA-pinning to prevent supply chain attacks, job-level GITHUB_TOKEN permission scoping, and specialized handling for pull requests from forks. By using these templates, developers can ensure their automation pipelines meet enterprise-grade security standards while reducing the manual effort required to configure scanners and permission sets.

主な機能

01Language-specific security-first CI variants

02SHA-pinned GitHub Action references for supply chain security

03Integrated secret scanning and prevention patterns

04Minimal job-level GITHUB_TOKEN permissions management

05Safe handling configurations for pull requests from external forks

060 GitHub stars

ユースケース

01Refactoring existing CI pipelines to meet modern enterprise security standards

02Implementing secure CI/CD for open-source projects handling external contributions

03Bootstrapping new GitHub repositories with production-grade security defaults

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add adaptive-enforcement-lab/claude-skills hardened-ci-workflow

For use in Claude.ai and ChatGPT

Download Skill