feat: add org-level security and reusable workflow security references#41
feat: add org-level security and reusable workflow security references#41
Conversation
Add two new reference docs covering org-level SHA pinning enforcement, action allow-lists, pin-github-action tooling, and reusable workflow security model including transitive dependency risks. Cross-reference from existing security-config.md. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request enhances the documentation around GitHub Actions security, focusing on organization-level settings and the security considerations for reusable workflows. It introduces new documents detailing SHA pinning requirements, action allow-lists, and best practices for securing reusable workflows, while also updating existing documentation to cross-reference these new resources. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds valuable documentation regarding organization-level security settings and reusable workflow security for GitHub Actions. The new reference documents are comprehensive and the examples are helpful. My review includes several suggestions to improve the clarity, correctness, and usability of the documentation and the example scripts. This includes fixing a resource leak bug in the batch pinning script, improving its error handling, and converting plain-text file paths into clickable Markdown links for better navigation.
- Add explicit clone error handling with tmpdir cleanup - Use full 40-char SHA in pinning example - Remove stderr suppression from npx pin-github-action - Fix cross-references to use relative Markdown links - Use portable base64 --decode flag Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
1 participant
Summary
references/org-security-settings.mdcoveringsha_pinning_requiredorg setting,pin-github-actionCLI tool (install, usage, batch script),allowed_actionspolicy, and action allow-list configurationreferences/reusable-workflow-security.mdcovering internal vs external workflow trust models, transitive dependency risks (trivy-action pattern), audit checklist, and shared workflow repos patternreferences/security-config.mdPinned-Dependencies row to cross-reference both new docsTest plan