Third-party GitHub Actions

Table of Contents

Today I came across these steps to guide our decision-making process, before using a 3rd Part GitHub Action:

  1. For simple tasks, avoid external GitHub Actions because the risk might outweigh the value. Maybe a simple curl could do it as well? 😉
  2. Use GitHub Actions from Verified Creators because they follow a strict security review process.
  3. Use the latest version of a GitHub Action because it might contain security fixes.
  4. Think about GitHub Actions like dependencies: they need to be maintained and updated. Dependabot or Renovate can help here.
  5. Think about disabling or limiting GitHub Actions for your organization(s) in Settings.
  6. Have a PR process with multiple reviewers to avoid adding a malicious GitHub Action.

This article was updated on April 8, 2024.

Tags

Tags :

Related Posts

GitHub Codespace

What is a Codespace? A codespace is a development environment that’s hosted in the cloud. You can customize your project for GitHub Codespaces by committing configuration files to your repository (also known as configuration-as-code), which creates a repeatable codespace configuration for all users of your project. Each codespace you create is hosted by GitHub in a Docker container that runs on a virtual machine. You can choose the type of machine you want to use depending on the resources you need.

Read More