Principles:
- •Prefer short-lived, federated auth (OIDC) over long-lived secrets.
- •Least-privilege workflow permissions and environment protections.
- •Produce verifiable artifacts: SBOM + build provenance + (optional) signatures.
Checklist (GitHub Actions):
- •Dependency controls
- •Ensure Dependabot is enabled (deps + GitHub Actions versions)
- •Add dependency review on PRs (block known vulnerable/forbidden licenses where required)
- •Add/verify CodeQL code scanning for relevant languages
- •Enable secret scanning + push protection where available/allowed
- •Workflow hardening
- •Pin third-party actions to commit SHA (or organization-approved policy)
- •Default GITHUB_TOKEN permissions to read-only; elevate per job only when required
- •Avoid dangerous patterns:
- •untrusted code in privileged workflows
- •unsafe
pull_request_targetusage - •downloading/using artifacts without verification
- •Prefer reusable workflows for shared hardening patterns
- •Provenance & SBOM
- •Generate SBOM for release artifacts (CycloneDX or SPDX format)
- •Generate build provenance attestation for produced artifacts
- •Publish SBOM and attestation alongside the artifact (release assets or artifact store)
- •Document how to verify provenance/SBOM for consumers
- •Signing (optional but recommended for high-risk artifacts)
- •Sign container images or packages (Sigstore/cosign or org standard)
- •Store verification policy/runbook
Finish with:
- •What was added/enabled (Dependency Review, CodeQL, secret scanning, SBOM, provenance)
- •Where artifacts are published (SBOM + attestation)
- •How to verify (commands/steps)
- •Remaining gaps/todos