Can I use these for different programming languages?

Yes, the CI and security scanning workflows include specific variants and testing patterns for Node.js, Python, and Go.

What is SHA-pinning and why is it used?

SHA-pinning uses unique commit hashes instead of version tags for actions to prevent supply chain attacks from unauthorized or malicious updates to third-party actions.

Do these workflows support cloud deployments?

Yes, it includes deployment templates specifically for GCP via OIDC federation, supporting environment protections, canary rollouts, and automated rollbacks.

What security features are included in these templates?

The templates include SHA-pinned actions, job-level minimal GITHUB_TOKEN permissions, OIDC for secret-less cloud access, and comprehensive security scanning.

Hardened CI/CD Workflow Templates

Name: Hardened CI/CD Workflow Templates
Author: adaptive-enforcement-lab

byadaptive-enforcement-lab

Deployment & DevOps

Provides production-ready, security-hardened GitHub Actions templates featuring SHA-pinning, OIDC authentication, and minimal permission scoping.

About

This skill offers a comprehensive library of copy-paste ready GitHub Actions workflows designed with a security-first approach to protect your software supply chain. It integrates industry-standard best practices, including SHA-pinned actions to prevent supply chain attacks, minimal GITHUB_TOKEN permission scoping, and OIDC federation for secret-less cloud authentication. Whether you are configuring continuous integration, managing signed releases with SLSA provenance, or deploying to cloud environments like GCP, these templates provide the necessary guardrails and inline documentation to ensure compliance and robust security from day one.

Key Features

SLSA provenance and artifact attestation for signed releases
SHA-pinned actions for verified supply chain security
OIDC-based cloud authentication for secret-less deployments
Minimal GITHUB_TOKEN permission scoping per job
Integrated security scanning (SAST, SCA, and Container)
0 GitHub stars

Use Cases

Setting up OIDC-based cloud deployments with automated rollbacks
Automating signed software releases with SLSA L2/L3 provenance
Implementing secure PR validation and automated test gates

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add adaptive-enforcement-lab/claude-skills complete-workflow-examples

For use in Claude.ai and ChatGPT

Download Skill

GitHub