Skip to content

[plan] Document GitHub Actions security practices #7996

Closed
Closed
[plan] Document GitHub Actions security practices#7996
Assignees
mnkiefercopilot-swe-agent
Labels
ai-generateddocumentationImprovements or additions to documentationplansecurity
@github-actions

Description

@github-actions
github-actions
bot
opened on Dec 28, 2025

Objective

Create comprehensive security documentation to formalize and communicate GitHub Actions security best practices to contributors.

Context

The repository demonstrates excellent security practices (99.9% action pinning, minimal permissions model, etc.) but lacks formal documentation of these practices. Documentation will help maintain security standards as the project grows.

Approach

Step 1: Create SECURITY.md

Add a security policy document covering:

  • Action pinning policy (all actions must be pinned to SHA)
  • Reporting security vulnerabilities
  • Security update process
  • Supported versions

Step 2: Update CONTRIBUTING.md

Add a "Workflow Security Guidelines" section covering:

## Workflow Security Guidelines

When contributing workflows:

1. **Always pin actions to commit SHA**
   -`uses: actions/checkout@abc123def789  # v4.0.0`
   -`uses: actions/checkout@v4`

2. **Use minimal permissions**
   - Declare empty permissions at workflow level
   - Grant minimal permissions at job level

3. **Avoid dangerous triggers**
   - Be cautious with pull_request_target
   - Validate all external inputs

4. **Vet third-party actions**
   - Only use actions from trusted sources
   - Review action source code when possible

Step 3: Create docs/security-practices.md

Detailed security documentation covering:

  • Why we pin actions to SHAs
  • Permission model explanation
  • Third-party action vetting process
  • Security monitoring procedures
  • How to respond to security findings

Step 4: Update AGENTS.md

Add reference to security documentation:

## Security Best Practices

See [SECURITY.md](SECURITY.md) for:
- Security policy and vulnerability reporting
- Workflow security guidelines
- Action pinning requirements

Files to Create/Modify

  • Create: SECURITY.md
  • Update: CONTRIBUTING.md
  • Create: docs/security-practices.md
  • Update: AGENTS.md

Acceptance Criteria

  • SECURITY.md created with vulnerability reporting process
  • CONTRIBUTING.md includes workflow security guidelines
  • docs/security-practices.md provides detailed security guidance
  • AGENTS.md references security documentation
  • Documentation reviewed for completeness and clarity
  • Examples include both ✅ correct and ❌ incorrect patterns

Estimated Effort

2-3 hours
Related to #7992

AI generated by Plan Command for discussion #7983

Metadata

Metadata

Assignees

Labels

ai-generateddocumentationImprovements or additions to documentationplansecurity

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions