- Notifications
You must be signed in to change notification settings - Fork62.5k
docs: security hardening info for actions untrusted content#38048
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:main
Are you sure you want to change the base?
Conversation
github-actionsbot commentedMay 5, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
How to review these changes 👓Thank you for your contribution. To review these changes, choose one of the following options: A Hubber will need to deploy your changes internally to review. Table of review linksNote: Please update the URL for your staging server or codespace. The table shows the files in the Key:fpt: Free, Pro, Team;ghec: GitHub Enterprise Cloud;ghes: GitHub Enterprise Server 🤖 This comment isautomatically generated. |
Thanks for opening a pull request! We've triaged this issue for technical review by a subject matter expert 👀 |
This is a gentle bump for the docs team that this PR is waiting for technical review. |
565bb47 to0ef89bbCompare4ba4fac to2b34cc3Compare@wrslatz Sorry this took a while! I think I talked to most of the Actions teams before I found the one I needed to get the SME review. I'm referring it to our writers to review for style now. Thank you for being patient. |
Thanks,@Sharra-writes ! |
...how-tos/security-for-github-actions/security-guides/security-hardening-for-github-actions.md OutdatedShow resolvedHide resolved
Uh oh!
There was an error while loading.Please reload this page.
...how-tos/security-for-github-actions/security-guides/security-hardening-for-github-actions.md OutdatedShow resolvedHide resolved
Uh oh!
There was an error while loading.Please reload this page.
...how-tos/security-for-github-actions/security-guides/security-hardening-for-github-actions.md OutdatedShow resolvedHide resolved
Uh oh!
There was an error while loading.Please reload this page.
data/reusables/actions/pull-request-target-permissions-warning.md OutdatedShow resolvedHide resolved
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
…uides/security-hardening-for-github-actions.mdCo-authored-by: Jaroslav Lobačevski <jarlob@github.com>Co-authored-by: Will Slattum <wrslatz@gmail.com>
…uides/security-hardening-for-github-actions.mdCo-authored-by: Jaroslav Lobačevski <jarlob@github.com>Co-authored-by: Will Slattum <wrslatz@gmail.com>
…uides/security-hardening-for-github-actions.mdCo-authored-by: Jaroslav Lobačevski <jarlob@github.com>Co-authored-by: Will Slattum <wrslatz@gmail.com>
Co-authored-by: Jaroslav Lobačevski <jarlob@github.com>Co-authored-by: Will Slattum <wrslatz@gmail.com>
Co-authored-by: Jaroslav Lobačevski <jarlob@github.com>Co-authored-by: Will Slattum <wrslatz@gmail.com>
I found an additional section of the docs that need an update related to this change. Pushing that up shortly. |
5b22da2 tof471511Compare@Sharra-writes@JarLob I found additional content in enterprise guidance that I updated inf471511. Let me know what you think. |
This comment was marked as spam.
This comment was marked as spam.
@wrslatz We're doing some work on the organization of Actions articles, so the team asked me to put this on hold on our review board until that's finished, but hopefully that will give you time to get another review from the security folks, since the writing review needs to be the final thing once we know the information is correct. |
data/reusables/actions/pull-request-target-permissions-warning.md OutdatedShow resolvedHide resolved
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Co-authored-by: Jaroslav Lobačevski <jarlob@github.com>
wrslatz commentedJul 14, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
@Sharra-writes Got security review 🎉 I can always rebase once those changes are in, just keep me posted. |
Uh oh!
There was an error while loading.Please reload this page.
Why:
TheSecurity hardening for GitHub Actions documentation currently has no content or recommendations covering untrusted contents being checked out and executed in Actions workflow runs. Someone recently shared theGrafana GitHub Actions Security Incident write up from StepSecurity and I went to share the hardening guide with them only to not find any recommendations covering this case. I did sharehttps://securitylab.github.com/research/github-actions-preventing-pwn-requests/ with them, but this was harder to find since it is not in the GitHub docs. I expected this security issue to be covered in the docs since untrusted input and third-party Actions, which have similar implications, are covered in the same docs already.
What's being changed (if available, include any code snippets, screenshots, or gifs):
Document the risks and recommended hardening mitigations for untrusted content being checked out and executed in GitHub Actions pull requests.
Check off the following: