I’ve been diving into the security aspects of using GitHub Actions and wanted to share some best practices in one place.
Forking action repositories
In the post on Forking action repositories I show these best practices:
- Verify the code the Action is executing
- Pinning versions
- Forking repositories
- Keeping your forks up to date
Secure your private runners
In the post on Private runners I explain these best practices:
- Limit the access of your private runner
- Do not use a runner for more than one repository
- Never use a private runner for you public repositories
Do not reuse a runner, ever!