Guides for securing GitHub Actions workflows
Practical articles on SHA pinning, GitHub Actions permissions, pull_request_target risk, workflow security scanning, and CI/CD hardening for small engineering teams.
Pin third-party actions to immutable commit SHAs.
Reduce broad write access in workflow tokens.
Review risky triggers before workflow changes merge.
All Resources
GitHub Actions hardening articles
Most workflows do not need broad write access. This guide shows how to trim GitHub Actions permissions step by step.
A practical rollout plan for SHA pinning in GitHub Actions, including what to pin first and how to handle updates safely.
Understand the real risk behind pull_request_target and how to separate untrusted pull request code from privileged automation.
A practical buying guide for teams evaluating GitHub Actions security scanners, from finding quality to remediation workflow and policy fit.
A short GitHub workflow security checklist covering SHA pinning, token permissions, event triggers, secrets, and review boundaries.
Turn the checklist into pull request guardrails
Use action pin to find GitHub Actions security issues, open reviewable fixes, and block risky workflow changes before they merge.