Improve the Actions workflows #32554

jessehouwing · 2025-08-28T12:13:59Z

jessehouwing
Aug 28, 2025

After the security issues from the past days, I took a look at the Actions infrastructure and was wondering whether you'd want some support. A quick read of the disclosure indicates a number of potential things that would be helpful to prevent similar issues in the future.

I'd love to help out here...

Things that immediately spring to mind:

Set the default permissions for all actions to read only
Set job level permissions in workflows.
Enable free GitHub Advanced Security Code Scanning for GitHub Actions
Optionally add a required workflow which runs ActionLint and/or GHAS on actions.
Enable Dependabot for Actions & Upgrade existing actions
Pin all actions to SHA instead of tag
Add pull_request_target to Secret Scanning as a push protection pattern.
Consider Hardened Runner from StepSecurity to detect runners going out of bounds
break critical workflows into separate workflow and call them using a callable workflow.

jessehouwing · 2025-09-03T09:32:06Z

jessehouwing
Sep 3, 2025
Author

Now with a extensive blog post explaining each possible remediation:

https://jessehouwing.net/github-actions-learnings-from-the-recent-nx-hack/

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Improve the Actions workflows #32554

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Improve the Actions workflows #32554

Uh oh!

jessehouwing Aug 28, 2025

Replies: 1 comment

Uh oh!

jessehouwing Sep 3, 2025 Author

jessehouwing
Aug 28, 2025

jessehouwing
Sep 3, 2025
Author