GitHub Actions Security Checklist for Supply Chain Attacks

This practical checklist from Corgea provides actionable steps to secure GitHub Actions workflows against supply chain attacks. Key priorities include: setting default GITHUB_TOKEN permissions to read-only, pinning third-party actions to full commit SHAs, avoiding pull_request_target for public repositories, treating all untrusted input (PR titles, issue bodies, branch names) as hostile, and using OIDC instead of long-lived cloud secrets. The full checklist covers locking down organization defaults, making workflow permissions explicit, preventing script injection, reducing secret exposure, hardening runners, securing artifacts and caches, and adding continuous detection with tools like zizmor and OpenSSF Scorecard. The guide emphasizes that workflow YAML is part of the trusted computing base and provides a practical rollout plan for hardening repositories. 

https://corgea.com/learn/github-actions-security-checklist