Integrating security in your CI/CD pipeline is critical to practicing DevSecOps. This GHA aims to be secure by default, and it should be complemented with your own review to ensure it meets your (organization's) security requirements.
- All 3 GHAs used in this workflow are pinned to a specific SHA to prevent supply chain attacks from upstream dependencies: actions/cache, actions/github-script and actions/upload-artifact.
- Restrict changes to certain environments with deployment protection rules or
apply_require_approval
so that approval is required from authorized users/teams before changes to the infrastructure can be applied. - Ease of integration with OpenID Connect by passing short-lived credentials as environment variables to the workflow.
Version | Supported |
---|---|
v10.X | Yes |
≤ v9.X | No |
You must never report security related issues, vulnerabilities or bugs including sensitive information to the issue tracker, or elsewhere in public. Instead sensitive bugs must be sent by email to security@devsec.top or reported via Security Advisory.