Third-party GitHub Actions

Today I came across these steps to guide our decision-making process, before using a 3rd Part GitHub Action:

1. For simple tasks, avoid external GitHub Actions because the risk might outweigh the value. Maybe a simple curl could to it as well? 😉
   
2. Use GitHub Actions from Verified Creators because they follow a strict security review process.
   
3. Use the latest version of a GitHub Action because it might contain security fixes.
   
4. Think about GitHub Actions like dependencies: they need to be maintained and updated. Dependabot or Renovate can help here.
   
5. Think about disabling or limiting GitHub Actions for your organization(s) in Settings.
   
6. Have a PR process with multiple reviewers to avoid adding a malicious GitHub Action.