github-actions-supply-chain
OfficialHarden GitHub Actions, reduce CI supply-chain risk
AuthorHabitat-Thinking
Version1.0.0
Installs0
System Documentation
What problem does it solve?
Provides a structured checklist and guidance to find and remediate supply-chain and security weaknesses in GitHub Actions workflows, reducing the risk of secret exfiltration and malicious code execution via CI.
Core Features & Use Cases
- SHA pinning enforcement: Ensure every uses: reference is pinned to a full 40-character commit SHA and retain the human-readable tag as a comment.
- Third-party action risk identification: Flag actions outside the actions/ and github/ namespaces and classify their risk.
- Permissions and trigger hardening: Verify minimal permissions blocks, detect unsafe pull_request_target usage, and find user-controlled inputs that flow into run: commands.
- Maintenance automation: Check for dependabot or Renovate configuration to keep pinned SHAs up to date.
- Use Case: Run this checklist during repository security reviews, CI hardening sprints, or pre-release audits to produce a prioritized findings table and remediation plan.
Quick Start
Run a supply chain assessment across the repository's .github/workflows directory and report any actions not pinned to commit SHAs, workflows missing minimal permissions, or unsafe pull_request_target usage.
Dependency Matrix
Required Modules
None requiredComponents
Standard package💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: github-actions-supply-chain Download link: https://github.com/Habitat-Thinking/ai-literacy-superpowers/archive/main.zip#github-actions-supply-chain Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 471,000+ vetted skills library on demand.