I Built a Free GitHub Action That Catches Workflow Security Issues Before Production

The Problem My team spent an afternoon debugging why our deploy workflow wasn't triggering on certain PRs. Turns out a paths filter had a glob pattern that looked right but matched nothing due to how GitHub evaluates path filters. The YAML was valid. CI was "passing." We just weren't running the jobs we thought we were. That's the kind of bug that's invisible until it isn't. The Solution: workflow-guardian I made workflow-guardian to catch that entire class of problem. Add it to your workflows and it statically analyzes all your .github/workflows/*.yml files on every PR. Quick Start - uses : ollieb89/workflow-guardian@v1 That's it. One line. What It Catches 🔒 Unpinned Actions (Supply Chain Risk) Using actions/setup-node@v4 means you're trusting that the tag hasn't been moved to malicious code. workflow-guardian flags these and suggests the exact SHA pin: ❌ deploy.yml:14 Action 'actions/setup-node@v4' is not pinned to a SHA. Fix : actions/setup-node@1a4442cacd436585916779262731d1f68189e

I Built a Free GitHub Action That Catches Workflow Security Issues Before Production

Related Articles

Hermès doesn’t include a power adapter with its $5,150 charging case

All the wrong EVs are getting cancelled

Building Backend Auth System with Swagger and Clean Structure

7 Mistakes Every Junior Developer Makes

Epic and Disney now let Fortnite creators make Star Wars games

Related Articles

How-To
Hermès doesn’t include a power adapter with its $5,150 charging case
The Verge • 35m ago

How-To
All the wrong EVs are getting cancelled
The Verge • 1h ago

How-To
Building Backend Auth System with Swagger and Clean Structure
Medium Programming • 2h ago

How-To
7 Mistakes Every Junior Developer Makes
Medium Programming • 2h ago

How-To
Epic and Disney now let Fortnite creators make Star Wars games
The Verge • 3h ago