GitHub Actions Security Checklist: 12 Things to Audit Before You Ship

GitHub Actions Security Checklist: 12 Things to Audit Before You Ship GitHub Actions is powerful — and that power cuts both ways. A misconfigured workflow can leak secrets, allow unauthorized code execution, or let attackers pivot into your production environment. Here's the checklist I run through before shipping any workflow. 1. Pin third-party actions to a full commit SHA # ❌ Dangerous — tag can be moved - uses : actions/checkout@v4 # ✅ Safe — immutable - uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 Tags are mutable. An attacker who compromises an upstream action repo can push a new commit to the v4 tag. Pinning to a SHA means you get exactly what you audited. Tool that catches this: workflow-guardian flags unpinned actions automatically. 2. Never use pull_request_target without extreme caution pull_request_target runs with write permissions and access to secrets — even for PRs from forks. Combined with actions/checkout on the PR head, you have a critical vulnera