Does this skill help with GitHub Actions permissions?

Absolutely. It defaults workflows to read-only permissions and guides you to set minimal, specific permissions at the job level only where needed.

Can I use this on my existing workflow files?

Yes, you can provide a file path as an argument, and the skill will read the file and apply all hardening rules to your existing configuration.

Why should I pin actions by commit SHA instead of version tags?

Tags are mutable and can be moved to point to malicious code without your knowledge. Commit SHAs are immutable, ensuring you only run the exact code you have audited and approved.

How does this skill help prevent script injection?

It identifies dangerous context expressions like github.event.issue.title and ensures they are mapped to environment variables rather than being directly interpolated into shell 'run' blocks.

Secure GitHub Actions

Name: Secure GitHub Actions
Author: tacogips

bytacogips

0•

部署与 DevOps

Hardens GitHub Action workflows by implementing commit SHA pinning, minimal permissions, and script injection prevention.

This skill secures your CI/CD pipelines by enforcing supply chain security best practices within GitHub Action workflow files. It automates the complex task of resolving action tags to immutable commit SHAs, configures least-privileged permissions, and wraps dynamic event data in environment variables to prevent shell injection attacks. Whether you are creating a new workflow or auditing an existing one, this skill ensures your automation follows the highest security standards recommended by GitHub and OpenSSF.

主要功能

01Enforcement of least-privilege 'permissions' blocks at workflow and job levels

02Automatic pinning of action references to immutable 40-character commit SHAs

030 GitHub stars

04Prevention of shell injection vulnerabilities by mapping event data to environment variables

05Hardening of checkout steps by disabling credential persistence

06Automated configuration of timeouts and concurrency groups to prevent resource exhaustion

使用场景

01Converting existing GitHub Action tags to secure commit SHAs for supply chain security

02Auditing and refactoring existing .github/workflows for security compliance

03Generating production-grade, hardened CI/CD workflows from high-level descriptions

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add tacogips/claude-code-agent secure-github-action

For use in Claude.ai and ChatGPT

Download Skill