Can this skill help minimize GITHUB_TOKEN permissions?

Yes, it provides implementation patterns for setting restrictive default permissions at the workflow level and explicitly defining only the required scopes for individual jobs.

How does this skill prevent script injection in workflows?

It identifies vulnerable steps where untrusted input like PR titles or branch names are interpolated directly into shell commands and replaces them with secure environment variable mappings.

Why should I pin actions to SHA digests instead of version tags?

Version tags are mutable and can be pointed to malicious code by a compromised third-party account. SHA digests are immutable, ensuring you only ever run the exact code you have vetted.

What is the security risk of using pull_request_target?

The pull_request_target event runs in the context of the base repository with access to secrets. This skill helps you implement gates to prevent attackers from executing malicious code via this event.

GitHub Actions Security Hardening

Name: GitHub Actions Security Hardening
Author: micsapp

bymicsapp

0•

Security & Testing

Secures GitHub Actions workflows against supply chain attacks, credential theft, and script injection through industry-standard hardening practices.

This skill provides specialized guidance for securing CI/CD pipelines on GitHub. It enables Claude to implement critical security measures such as pinning actions to immutable SHA digests, enforcing the principle of least privilege for GITHUB_TOKEN permissions, and preventing shell script injection from untrusted inputs. It is an essential tool for DevSecOps teams looking to protect their software supply chain, secure production deployments, and establish robust audit trails for workflow modifications.

Key Features

01Immutable SHA-256 action pinning for supply chain integrity

020 GitHub stars

03Least-privilege GITHUB_TOKEN permission configuration

04Automated shell script injection prevention

05Workflow change control implementation via CODEOWNERS

06Environment-based deployment protection and approvals

Use Cases

01Auditing existing GitHub workflows for security vulnerabilities

02Setting up secure handling for pull requests from forks

03Hardening CI/CD pipelines against sophisticated supply chain attacks

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills securing-github-actions-workflows

For use in Claude.ai and ChatGPT

Key Features

01Immutable SHA-256 action pinning for supply chain integrity

020 GitHub stars

03Least-privilege GITHUB_TOKEN permission configuration

04Automated shell script injection prevention

05Workflow change control implementation via CODEOWNERS

06Environment-based deployment protection and approvals

Use Cases

01Auditing existing GitHub workflows for security vulnerabilities

02Setting up secure handling for pull requests from forks

03Hardening CI/CD pipelines against sophisticated supply chain attacks

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills securing-github-actions-workflows

For use in Claude.ai and ChatGPT