Document safe GitHub Actions scripting practices

[U8NWXD]

Here are some good development practice for GitHub Actions that we've found. These should be documented on the wiki and checked by reviewers.

• Principle of least privilege:
  • When using GITHUB_TOKEN: Top-level permissions should be {}. Minimal permissions should be granted job-by-job. A job with elevated permissions (anything with write permissions) should contain minimal code, and any logic that can be performed without elevated permissions should be in a separate job.
  • When using a custom token: Avoid classic personal access tokens, as these give broad permissions. Fine-grained tokens and GitHub App tokens are acceptable instead.
• Script Injection: Script injection is surprisingly easy in GitHub Actions because anything inside ${{...}} is evaluated and inserted with no validation checks. Carefully read GitHub's docs on this issue and follow their mitigation advice.
  • Validate all inputs.
• Add Dependencies Safely: All third-party GitHub Actions you call have full access to the CI environment, including to the GITHUB_TOKEN. To minimize the risk of introducing malicious code this way, third-party actions should be vetted using our standard vetting procedures and should be pinned with a commit hash. Again, refer to GitHub's recommendations.