Best Practices to Implement GitHub Actions and Workflows
The LHM GitHub Actions documentation we offer in lhm_actions are mainly used by workflows of LHM Reference Architecture Templates and therefore in most of our project repositories.
These actions can also be used in projects that are not based on the reference architecture templates. Although it might be necessary that you have to implement your own action or workflow. In this case please take care about security vulnerabilities and that you adhere to Security practices for writing workflows and using GitHub Actions features, especially:
- Use an intermediate environment variable
- Pin actions to a full-length commit SHA
- Restricting permissions for tokens
- Using workflow templates for code scanning: we offer already an action and a workflow to use CodeQL.
Further Reading
- GitHub Secure use reference
- Salesforce GitHub Actions Security Best Practices
- GitLab about Supply Chain Attacks Pipeline security lessons from March supply chain incidents
