GitHub Actions Code Review Rules
Security (Critical)
- •Pin actions to full commit SHA (not
@v1or@main) - •Use minimal
permissionsblock (principle of least privilege) - •Never echo secrets or use them in URLs
- •Use
secrets.GITHUB_TOKENinstead of PATs when possible - •Audit third-party actions before use
- •Review expressions (
${{ }}) for injection risks; never interpolate untrusted user input - •Validate all inputs to reusable workflows and custom actions
Permissions
yaml
permissions: contents: read # Minimal by default # Add only what's needed: # pull-requests: write # issues: write
Secrets
- •Store secrets in repository/organization secrets
- •Use environments for production secrets with approvals
- •Don't pass secrets as command arguments (visible in logs)
- •Mask sensitive output with
::add-mask:: - •Never write secrets to files or artifacts (can be exposed)
- •Avoid passing secrets via environment variables unless absolutely required
- •Secrets in env vars can be visible in process listings
Performance
- •Use caching for dependencies (
actions/cacheor built-in) - •Run independent jobs in parallel
- •Use
concurrencyto cancel redundant runs - •Consider self-hosted runners for heavy workloads
Workflow Structure
- •Use reusable workflows for common patterns
- •Use composite actions for shared steps
- •Set appropriate
timeout-minutesto prevent hung jobs - •Use
if:conditions to skip unnecessary jobs - •Separate CI (testing), CD (deployments), and PR checks into distinct workflows
- •Use environments to distinguish between dev, staging, and production
- •Avoid mixing all concerns in a single monolithic workflow
Triggers
- •Be specific with
pathsandbranchesfilters - •Use
workflow_dispatchfor manual triggers - •Consider
pull_request_targetsecurity implications
Common Anti-patterns
- •Avoid
actions/checkoutwithpersist-credentials: trueunless needed - •Avoid running on
pushto all branches - •Avoid hardcoding versions that need updates
Action Updates and Maintenance
- •Monitor pinned action SHAs for security fixes
- •Subscribe to security advisories for actions you use
- •Update actions regularly to get new features and fixes
- •Document why specific SHAs are pinned (security, stability)
- •Consider using Dependabot for action version updates
Testing and Validation
- •Lint workflows with tools like
actionlint - •Test complex workflows in feature branches before merging
- •Validate workflow syntax before committing
- •Use workflow templates for consistency
- •Add job-level tests for workflow logic validation
Error Handling
- •Use
continue-on-error: falseas default (explicit failure) - •Set
fail-fast: truefor matrix jobs to stop on first failure - •Only use
continue-on-error: truewhen failure is acceptable - •Provide clear error messages in job outputs
- •Use status checks to ensure critical jobs pass
Documentation
- •Add inline comments for complex workflow logic
- •Document workflow purpose and triggers
- •Maintain workflow README or documentation
- •Explain environment variables and their usage
- •Document required secret names and their purpose (never include actual secret values)