github · GitHub Actions Docs
Actions Secure use reference - GitHub Docs
A collection of security best practices and implementation patterns for GitHub Actions, including OIDC configuration for cloud providers, artifact attestation, and hardening deployments.
Derived skill
Files assembled from official documentation
Viewing SKILL.md
Actions Secure use reference - GitHub Docs
A collection of security best practices and implementation patterns for GitHub Actions, including OIDC configuration for cloud providers, artifact attestation, and hardening deployments.
When To Use
Use when you need to implement secure authentication with cloud providers via OIDC, verify artifact integrity, or harden GitHub Actions workflows against common security threats.
Reference Files
| File | Contains | Use For |
|---|---|---|
SKILL.md | Entry point: scope, routing table, and workflow. | Start here. |
docs/actions-security-secure-use-reference-github-docs-workflow-guide.md | A guide detailing security practices for writing workflows, using secrets, and mitigating script injection attacks in GitHub Actions. | Questions about a guide detailing security practices for writing workflows, using secrets, and mitigating script injection attacks in... |
examples/actions-security-secure-use-reference-github-docs-github-actions-secure-.text | A workflow example demonstrating the secure use of actions by passing specific event context properties to a step. | Exact payloads, commands, or snippets shown in A workflow example demonstrating the secure use of actions by passing specific event context properties to a step. |
examples/actions-security-secure-use-reference-github-docs-github-actions-secure--2.text | A GitHub Actions workflow step that uses a shell script to validate a pull request title against a specific pattern. | Exact payloads, commands, or snippets shown in A GitHub Actions workflow step that uses a shell script to validate a pull request title against a specific pattern. |
examples/actions-security-secure-use-reference-github-docs-github-actions-secure--3.text | A text example demonstrating the security risk of injecting untrusted pull request titles directly into environment variables within a GitHub Actions workflow. | Exact payloads, commands, or snippets shown in A text example demonstrating the security risk of injecting untrusted pull request titles directly into environment v... |
examples/actions-security-secure-use-reference-github-docs-github-actions-secure--4.text | A shell command example demonstrating the secure use of encoded JIT configuration variables in a GitHub Actions workflow. | Exact payloads, commands, or snippets shown in A shell command example demonstrating the secure use of encoded JIT configuration variables in a GitHub Actions workf... |
What This Skill Covers
-
- GitHub Actions / - Reference / - Security / - Secure use
- Main sections:
In this article,Writing workflows,Use secrets for sensitive information,Good practices for mitigating script injection attacks,Use an action instead of an inline script.
Workflow
- Open the most relevant file under
docs/for the exact documented workflow and wording. - Open
schemas/files for exact structured contracts. - Open
examples/files for concrete requests, commands, snippets, and manifests. - Do not add behavior or configuration that is not present in the attached source files.
Canonical source: https://docs.github.com/en/actions/reference/security/secure-use