Secure GitHub Actions

Create, review, and audit GitHub Actions workflows with supply-chain-safe defaults.

CRITICAL RULES

1. Read the relevant reference files first. When the user's request involves any topic in the reference table below, read those files before doing anything else. Briefly mention which files you are reading so the user can confirm the skill is active.
2. Pin every non-local uses: reference to a full 40-character commit SHA. Treat @v*, @main, @master, branch names, and short SHAs as security debt.
3. Never invent SHAs. Resolve them from GitHub or ask the user; if you cannot verify the right SHA, say so explicitly instead of fabricating one.
4. Do not introduce pull_request_target unless the user explicitly requires it and the workflow never executes untrusted code with secrets or write permissions.
5. Never splice untrusted context directly into shell. Move ${{ github.* }}, ${{ inputs.* }}, and similar values into env: and quote the shell variable.
6. Set explicit least-privilege permissions:. Default to read-only and grant write scopes only to the specific job that needs them.
7. Always run the full audit checklist when asked to "audit", "harden", or "security scan" a repository.
8. Never silently skip a check. If a tool is missing (gitleaks, trufflehog, zizmor), report it and suggest installation.
9. After compaction or context loss, re-read this SKILL and the reference files before continuing.

Operating procedure

For writing or editing workflows