GitHub Actions misconfigurations have been behind major supply chain attacks in 2025-2026. This security checklist covers the most critical vectors: avoiding pull_request_target and workflow_run in public repos, preventing script injection by never interpolating github.* values directly into run steps, pinning all third-party actions to full commit SHAs, using OIDC instead of long-lived cloud credentials, setting GITHUB_TOKEN permissions to read-only by default, avoiding self-hosted runners on public repos, and scoping secrets at the step level. Real-world attack examples (tj-actions, Trivy, Ultralytics, Shai-Hulud) illustrate each risk. Supporting tools like zizmor, pinact, Dependabot, Harden-Runner, and Aikido Safe Chain are recommended to enforce these practices.
Table of contents
Why are there so many security issues with GitHub Actions?Sort: