You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: practices/actions-best-practices.md
+14-2Lines changed: 14 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -83,7 +83,7 @@ While third-party actions can significantly enhance the functionality and effici
83
83
- *Lack of Maintenance*: Some third-party actions may not be actively maintained, leaving them vulnerable to security issues or compatibility problems with newer GitHub Actions features.
84
84
- *Excessive Permissions*: Third-party actions may request more permissions than necessary, potentially exposing sensitive data or allowing unauthorized access to your repository.
85
85
86
-
To mitigate these risks, all actions must be pinned to specific commit SHAs, reviewed before adoption, and sourced only from trusted publishers.
86
+
To mitigate these risks, all actions must be pinned to specific commit SHAs, reviewed before adoption, and sourced only from trusted publishers. Teams must minimise use of third-party actions and should expect the permitted set of actions to be restricted over time.
87
87
88
88
### Pin All Actions to a Commit SHA
89
89
@@ -113,11 +113,23 @@ updates:
113
113
114
114
### Verify Third-Party Actions
115
115
116
-
When including a GitHub Action within your workflow consider alternatives, is there an existing mechanism you can use? Would this be something that could be reused and you could create your own action within the organisation that other teams could benefit from? If you can only achieve your goal with a third-party action then:
116
+
Third-party actions must not be the default choice. Before introducing one, teams should confirm that the requirement cannot be met by:
117
+
118
+
- Native GitHub Actions features such as `run` steps, reusable workflows, or built-in workflow syntax
119
+
- An action already owned and maintained within the organisation
120
+
- An action that is already approved for reuse by other teams
121
+
122
+
If a third-party action is still required, document why it is needed, what alternatives were considered, and why those alternatives were rejected. Teams should prefer actions with a clear maintenance history, minimal permissions, and a narrow, well-understood scope.
123
+
124
+
If you can only achieve your goal with a third-party action then:
117
125
118
126
- Only use trusted actions from the GitHub Marketplace
119
127
- Review the source code of third-party actions before using them
120
128
- Consider forking and maintaining your own copy of critical actions
129
+
- Keep a record of the approval decision and the version or SHA that was reviewed
130
+
- Be prepared to replace the action if organisational policy restricts the allowed set of actions
131
+
132
+
The long-term direction is to lock down the set of actions that can be used. Teams should therefore avoid introducing new third-party actions unless there is a clear, defensible need.
0 commit comments