AgentSkillsCN

supply-chain-hygiene

在添加或更新依赖项、构建流水线、打包、容器化或发布时使用。重点聚焦于GitHub Actions,力求实现SBOM、来源追溯,并以最小权限原则进行扫描。

SKILL.md
--- frontmatter
name: supply-chain-hygiene
description: Use when adding/updating dependencies, build pipelines, packaging, containers, or releases. GitHub Actions focused. Aim for SBOM + provenance + scanning with least privilege.

Principles:

  • Prefer short-lived, federated auth (OIDC) over long-lived secrets.
  • Least-privilege workflow permissions and environment protections.
  • Produce verifiable artifacts: SBOM + build provenance + (optional) signatures.

Checklist (GitHub Actions):

  1. Dependency controls
  • Ensure Dependabot is enabled (deps + GitHub Actions versions)
  • Add dependency review on PRs (block known vulnerable/forbidden licenses where required)
  • Add/verify CodeQL code scanning for relevant languages
  • Enable secret scanning + push protection where available/allowed
  1. Workflow hardening
  • Pin third-party actions to commit SHA (or organization-approved policy)
  • Default GITHUB_TOKEN permissions to read-only; elevate per job only when required
  • Avoid dangerous patterns:
    • untrusted code in privileged workflows
    • unsafe pull_request_target usage
    • downloading/using artifacts without verification
  • Prefer reusable workflows for shared hardening patterns
  1. Provenance & SBOM
  • Generate SBOM for release artifacts (CycloneDX or SPDX format)
  • Generate build provenance attestation for produced artifacts
  • Publish SBOM and attestation alongside the artifact (release assets or artifact store)
  • Document how to verify provenance/SBOM for consumers
  1. Signing (optional but recommended for high-risk artifacts)
  • Sign container images or packages (Sigstore/cosign or org standard)
  • Store verification policy/runbook

Finish with:

  • What was added/enabled (Dependency Review, CodeQL, secret scanning, SBOM, provenance)
  • Where artifacts are published (SBOM + attestation)
  • How to verify (commands/steps)
  • Remaining gaps/todos