GitHub Actions CI/CD
Pathrule3 Rules • 1 Memory • 1 Skill
A bundle of rules, memories, and a review skill that lock GitHub Actions workflows to least-privilege tokens, SHA-pinned actions, and keyless OIDC deploys. It encodes the current 2026 stack (checkout@v6, setup-node@v6, cache@v5) so coding agents stop reintroducing long-lived secrets and over-broad permissions. Use it to keep CI fast with caching and matrix builds while staying audit-clean.
Suggested path map
Pathrule places each piece on the matching path, so your assistant only sees it where it belongs. This is the scoping you get on import; you can adjust it in your workspace.
/ workspace root
github-actions-cicd-review
.github/
workflows/
Least-privilege GITHUB_TOKEN by default
Pin every action to a full commit SHA
Cloud deploys authenticate via OIDC, not stored static keys
Current GitHub Actions stack and caching defaults (2026)
Rules
3Least-privilege GITHUB_TOKEN by default/.github/workflowshighstrictDefault-deny permissions, grant the minimum per job.
| 1 | Every workflow must set explicit `permissions` instead of relying on the default read/write `GITHUB_TOKEN`. |
| 2 | |
| 3 | - Set `permissions: {}` (or `contents: read`) at the workflow top level as a default-deny baseline. |
| 4 | - Grant scopes only on the individual jobs that need them, e.g. `packages: write` on the publish job only. |
| 5 | - Add `id-token: write` strictly on jobs that request an OIDC token, never workflow-wide. |
| 6 | - Set a `concurrency` group with `cancel-in-progress: true` so stale runs cannot push or deploy. |
Pin every action to a full commit SHA/.github/workflowshighstrictNo mutable tags; pin third-party actions to an immutable SHA.
| 1 | Reference every `uses:` action by a full-length 40-character commit SHA, with the human-readable version in a trailing comment. |
| 2 | |
| 3 | - Write `uses: actions/checkout@<sha> # v6.0.0`, not `actions/checkout@v6` or `@main`. |
| 4 | - Pinning a mutable tag lets an upstream maintainer or attacker swap code under your runner with write access. |
| 5 | - First-party `actions/*` may pin to the major tag only if org policy allows it; all third-party and marketplace actions must be SHA-pinned. |
| 6 | - Keep pins current with Dependabot (`dependabot.yml` with `package-ecosystem: github-actions`) or `pin-github-action` so you get patched SHAs, not stale ones. |
Cloud deploys authenticate via OIDC, not stored static keys/.github/workflowshighstrictFederate to a short-lived cloud role; never store long-lived access keys as repo secrets.
| 1 | A long-lived cloud key stored as a CI secret is the highest-value, lowest-rotation credential most teams hold. Federate instead so the credential is minted per run and expires on its own. |
| 2 | |
| 3 | - Grant the deploy job `permissions: id-token: write` and exchange the GitHub OIDC JWT for a cloud role. For AWS use `aws-actions/configure-aws-credentials` with `role-to-assume` and no `aws-access-key-id`/`aws-secret-access-key`. GCP and Azure have equivalent workload-identity federation actions. |
| 4 | - Lock the IAM trust policy to `repo:org/name` and constrain on `ref` or `environment` claims so only the intended branch or protected environment can assume the role. |
| 5 | - Bind the deploy job to a protected GitHub Environment with required reviewers; environment secrets are exposed only to that job. |
| 6 | - Note the immutable `sub` subject-claim rollout for new repositories (June 18 2026); pin trust conditions to claims that survive it. |
Memories
1Current GitHub Actions stack and caching defaults (2026)/.github/workflowsPinned action versions and the caching approach we use.
| 1 | These are the current stable building blocks for our pipelines as of mid-2026; do not downgrade them when editing workflows. |
| 2 | |
| 3 | - Core actions: `actions/checkout@v6`, `actions/setup-node@v6`, `actions/cache@v5` (cache runs on Node 24 and needs runner >= 2.327.1). |
| 4 | - Prefer the built-in cache of `setup-node` (`cache: 'npm'`) over a manual `actions/cache` step for dependency restore. |
| 5 | - Reserve standalone `actions/cache` for build outputs (Turbo, Next, Playwright browsers) keyed on a lockfile hash with a partial `restore-keys` fallback. |
| 6 | - Test across versions with a matrix, e.g. `strategy.matrix.node: [20, 22, 24]`, and gate merges on the matrix job. |
| 7 | - Avoid `pull_request_target` with untrusted inputs in `run:` steps; an attacker can inject arbitrary shell commands via a PR title or body. |
Skills
1github-actions-cicd-review/rootChecklist to review a GitHub Actions workflow before merge.
| 1 | --- |
| 2 | name: github-actions-cicd-review |
| 3 | description: Review checklist for GitHub Actions CI/CD workflows covering least-privilege tokens, SHA-pinned actions, OIDC deploys, caching, and matrix builds. Use when creating or editing any file under .github/workflows. |
| 4 | --- |
| 5 | |
| 6 | # GitHub Actions CI/CD review |
| 7 | |
| 8 | - [ ] Workflow declares a top-level `permissions:` block that is default-deny (`{}` or `contents: read`). |
| 9 | - [ ] Write scopes (`packages`, `contents`, `id-token`, etc.) are granted per job, not workflow-wide. |
| 10 | - [ ] Every `uses:` references a full 40-char commit SHA with a `# vX.Y.Z` comment; no `@main` or floating tags. |
| 11 | - [ ] Dependabot or `pin-github-action` is configured to keep action SHAs current. |
| 12 | - [ ] Action versions are current: `checkout@v6`, `setup-node@v6`, `cache@v5` or newer. |
| 13 | - [ ] Dependency caching is enabled (`setup-node` `cache: 'npm'` or a lockfile-keyed `actions/cache`). |
| 14 | - [ ] Build matrix covers the supported runtime versions and merge protection requires the matrix job. |
| 15 | - [ ] Cloud deploys use OIDC (`id-token: write` + `role-to-assume`), with no long-lived keys in repo secrets. |
| 16 | - [ ] OIDC trust policy / `sub` claim is scoped to this repo and branch or environment. |
| 17 | - [ ] Deploy jobs target a protected GitHub Environment with required reviewers. |
| 18 | - [ ] A `concurrency` group with `cancel-in-progress: true` prevents overlapping deploy runs. |
| 19 | - [ ] `pull_request_target` triggers with untrusted-input `run:` steps are absent or carefully sandboxed. |
Why this pattern
AI agents and busy teams keep shipping GitHub Actions workflows with write-all tokens, mutable action tags, and long-lived cloud secrets that fail security review.
Built for Platform and application teams running GitHub Actions CI/CD who let AI agents edit workflow files.
Keeps your assistant from:
- Workflows running with the default read/write GITHUB_TOKEN instead of explicit least privilege
- Pinning third-party actions to mutable tags like @v4 instead of an immutable commit SHA
- Storing long-lived cloud access keys as repo secrets instead of deploying with OIDC
- License
- Apache-2.0
- Version
- 1.0.0
- Updated
- 2026-06-09