gha-pipelines
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADS
Full Analysis
- [SAFE]: The skill mandates the use of minimal permissions for GitHub Actions, explicitly advising against the use of "permissions: write-all".
- [EXTERNAL_DOWNLOADS]: References official and well-known GitHub Actions for workflow automation, including "actions/checkout", "jdx/mise-action", "docker/login-action", and "fluxcd/flux2/action". These are sourced from trusted organizations and services.
- [SAFE]: Encourages the use of "actions/github-script" for complex logic and API interactions, which is a safer alternative to raw shell scripts for handling JSON and API responses in CI environments.
- [SAFE]: Includes explicit anti-patterns that prevent common security pitfalls, such as installing tools via "apt-get" or "brew" during runtime and hardcoding versions in workflow files.
Audit Metadata