Date posted: 06 Feb 2021, 0 minutes to read

GitHub Actions & Security: Best practices

I’ve been diving into the security aspects of using GitHub Actions and wanted to share some best practices in one place.

Image of locks on a fence

Photo by Jon Moore on Unsplash

Forking action repositories

In the post on Forking action repositories I show these best practices:

  • Verify the code the Action is executing
  • Pinning versions
  • Forking repositories
  • Keeping your forks up to date

Secure your private runners

In the post on Private runners I explain these best practices:

  • Limit the access of your private runner
  • Do not use a runner for more than one repository
  • Never use a private runner for you public repositories

Do not reuse a runner, ever!