What is SHA pinning in CI workflows?

SHA pinning replaces traditional version tags with specific immutable commit hashes to prevent supply chain attacks if a third-party action is compromised or updated maliciously.

How does this skill improve GITHUB_TOKEN security?

It implements job-level permissions to ensure each individual step in your workflow has only the absolute minimum access required to function, limiting the potential blast radius of a breach.

Can I use these templates for open-source projects?

Yes, the skill includes specific patterns for safe fork PR handling, ensuring that external contributors can run tests without gaining access to sensitive repository secrets.

Are there templates for specific programming languages?

Yes, the skill provides various language-specific variants that include relevant security scanning and build steps tailored for different development ecosystems.

Hardened CI Workflows

Name: Hardened CI Workflows
Author: adaptive-enforcement-lab

byadaptive-enforcement-lab

部署与 DevOps

Generates production-ready, security-hardened CI/CD workflow templates for GitHub Actions with integrated best practices.

关于

This skill provides a comprehensive library of secure-by-default CI/CD templates designed to eliminate common vulnerabilities in GitHub Actions. It automates the implementation of critical security patterns such as SHA-pinning to prevent supply chain attacks, job-level GITHUB_TOKEN permission scoping, and specialized handling for pull requests from forks. By using these templates, developers can ensure their automation pipelines meet enterprise-grade security standards while reducing the manual effort required to configure scanners and permission sets.

主要功能

Language-specific security-first CI variants
SHA-pinned GitHub Action references for supply chain security
Integrated secret scanning and prevention patterns
Minimal job-level GITHUB_TOKEN permissions management
Safe handling configurations for pull requests from external forks
0 GitHub stars

使用场景

Refactoring existing CI pipelines to meet modern enterprise security standards
Implementing secure CI/CD for open-source projects handling external contributions
Bootstrapping new GitHub repositories with production-grade security defaults

关于

主要功能

Language-specific security-first CI variants
SHA-pinned GitHub Action references for supply chain security
Integrated secret scanning and prevention patterns
Minimal job-level GITHUB_TOKEN permissions management
Safe handling configurations for pull requests from external forks
0 GitHub stars

使用场景

Refactoring existing CI pipelines to meet modern enterprise security standards
Implementing secure CI/CD for open-source projects handling external contributions
Bootstrapping new GitHub repositories with production-grade security defaults