[meta] GitHub Actions Audit 2025 #872
Description
Apply best practices described in https://wiki.mozilla.org/GitHub/Repository_Security/GitHub_Workflows_%26_Actions.
Workflow Review & Governance
- Require code reviews for all workflow changes: Must be enforced via branch protection & CODEOWNERS
- Review all scripts run in workflows for code injection risk: Applies to inline and external scripts
- Use scanning tools to detect workflow misconfigurations: Example tools include OSSF Scorecard and octoscan
- Treat GitHub Actions as third-party code and review dependencies: Applies to all external Actions
Principle of Least Privilege
- Set
persist-credentials: falseinactions/checkout: Prevents hidden credential persistence
See: MDN workflows using actions/checkout - Unset or restrict
GITHUB_TOKENviapermissions: {}: Restrict token scope per job
See: MDN workflows withoutpermissions: - Validate Dependabot via
github.event.pull_request.user.logininstead ofgithub.actor: Prevents spoofed bot impersonation
See: MDN workflows referencinggithub.actor - Disable unnecessary GitHub Actions jobs (e.g., unused publishing): Reduces attack surface
Supply Chain Security
- Pin all third-party GitHub Actions to specific commit SHAs: Avoids tag hijacking
- Rotate credentials immediately if exposure suspected: Applies to all tokens and API keys
- Update third-party actions to latest patched versions: Validate integrity before deployment
- Follow GitHub’s Security Best Practices for authors of Actions: Applies if MDN maintains Actions
- Enforce attestations for container-based Actions: Verify source provenance
- Regularly audit workflow files and logs for anomalies: Look for encoded or obfuscated code
Scanning & Tooling
- Integrate OSSF Scorecard Action with
publish_results: false: Follow installation instructions - Address “Dangerous Workflow” OSSF findings: Minimum compliance requirement
- Use Synacktiv’s octoscan or equivalent for branch-level checks: Local scanning for all branches
Sensitive Data & Secrets Management
- Add
.envto.dockerignore: Prevents secret leakage in Docker images - Avoid storing tokens in Git: Enforce via
.gitignoreand secret scanning - Avoid caching in privileged jobs: Prevent cache poisoning
- Use Docker Secrets for managing credentials: Avoid embedding secrets in workflows
Token Permissions
- Restrict
GITHUB_TOKENpermissions to minimum required: Use read-only permissions where possible - Enforce org-wide “Read repository contents” default: Configure under GitHub Actions → General
Input / Output Validation
- Treat all
github.event.*parameters as untrusted input: Sanitize before use in shell commands - Pass untrusted input via
env:to ensure safe encoding: Use environment variables instead of direct interpolation - Treat
github.event.inputsas untrusted; encode properly: Apply same pattern as above - Use
$GITHUB_OUTPUTinstead of$GITHUB_ENVfor passing outputs: Prevents privilege escalation
Docker Build Hygiene
- Add
.git/to.dockerignore: Avoid leaking Git metadata - Add
node_modules/to.dockerignore: Reduce build size and attack surface - Add
*.logand*.tmpto.dockerignore: Prevent including temporary or log files - Add
gha-creds-*.jsonto.dockerignore: Prevent leaking GitHub credential files -
Build Docker images before(We're using the official build-and-push action.)google-github-actions/auth@v2: Avoid inclusion of auth credentials in build context
Applies to the following repos with .dockerignore:
- mdn/mdn-http-observatory
- mdn/rumba
Audit & Review Process
- Audit code before first use of new actions: Verify security posture before onboarding
- Audit version changes of existing actions: Check diffs for malicious updates
- Audit dependencies of actions: Review transitive dependencies
- Permit only specific revisions (commit SHAs) for actions: Restrict to immutable references
-
Periodically review and update this guideline document: Ensure compliance list stays current