What are the risks of using 'secrets: inherit' in GitHub Actions?

It grants the called workflow access to all secrets in the caller's context, which can lead to accidental exposure or malicious exfiltration if the downstream workflow is compromised.

Can I limit which repositories use my reusable workflows?

Yes, this skill provides guidance on implementing caller restrictions to ensure that only authorized repositories within your organization can execute sensitive workflow logic.

Why should I use SHA pinning instead of version tags?

Tags are mutable and can be moved by an attacker or repository owner. SHA pinning provides an immutable reference, ensuring you run the exact code that was previously audited.

How does this skill prevent command injection?

The skill provides patterns for strict input validation and explains how to avoid directly using untrusted inputs in run scripts, which is a common vector for injection attacks.

GitHub Actions Workflow Security

Name: GitHub Actions Workflow Security
Author: adaptive-enforcement-lab

byadaptive-enforcement-lab

0•

Security & Testing

Secures GitHub Actions reusable workflows by implementing input validation, explicit secret inheritance, and supply chain protection patterns.

The Reusable Workflow Security skill equips Claude with specialized knowledge to harden GitHub Actions CI/CD pipelines against common attack vectors. It focuses on mitigating privilege escalation and supply chain risks by guiding developers through the implementation of SHA-pinning for version control, restricting caller repositories, and replacing dangerous 'secrets: inherit' patterns with explicit secret passing. This skill is essential for teams looking to centralize their automation logic without compromising their organization's security posture.

Key Features

010 GitHub stars

02Transition patterns from broad secret inheritance to explicit passing

03SHA-pinning for immutable workflow references

04Caller restriction policies to prevent unauthorized workflow execution

05Input validation and sanitization for workflow arguments

06Protection against command injection in CI/CD environments

Use Cases

01Auditing existing GitHub Actions for secret exposure risks

02Standardizing secure workflow composition patterns for DevOps teams

03Hardening shared CI/CD libraries across an organization

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add adaptive-enforcement-lab/claude-skills reusable-workflow-security

For use in Claude.ai and ChatGPT

Download Skill