A practical security guide for GitHub Actions CI dependencies, structured as a recipe card. Covers evaluating third-party actions before use, pinning dependencies to immutable SHA digests instead of mutable tags, automating updates with Dependabot or Renovate, applying least-privilege permissions via GITHUB_TOKEN settings, and choosing between GitHub-hosted and self-hosted runners. References real-world supply chain attacks (SolarWinds, tj-actions/changed-files) as motivation, and lists specific tools including frizbee, pinact, ratchet, zizmor, and Scorecard for auditing and pinning workflows.
Table of contents
TLDR:Utensils: Tools for cooking up a releaseA word of caution in the kitchenEvaluate before using (source your ingredients)Pin your dependencies and runner images (protect your tools)Automatically update your dependencies (keeping it fresh)Self hosted runners vs GitHub Runners (choose your kitchen)Sort: