github-actions-workflows
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill explicitly enforces the use of full commit SHAs for pinning GitHub Actions (e.g.,
actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683), protecting against supply chain attacks where tags might be moved to malicious code. - [SAFE]: It provides detailed guides and templates for implementing OpenID Connect (OIDC) for Azure deployments, which eliminates the need for storing long-lived, sensitive credentials in GitHub Secrets.
- [SAFE]: Every workflow template includes a strict
permissionsblock (e.g.,contents: read,id-token: write), adhering to the principle of least privilege by disabling the defaultwrite-allaccess. - [SAFE]: The included security checklist provides educational value by demonstrating how to prevent common vulnerabilities, such as shell script injection from untrusted event data (like PR titles) and accidental secret leakage in logs.
- [SAFE]: The skill uses and references actions only from trusted organizations (GitHub, Azure, Docker, Hashicorp) or well-known services (Codecov, Aqua Security), all of which are recognized as safe sources.
- [SAFE]: Deployment patterns for Hetzner Cloud and K3s include proactive security measures, such as mandatory SSH key cleanup in
if: always()steps and restricting SSH key scopes.
Audit Metadata