github-actions

Installation

SKILL.md

GitHub Actions Code Review Rules

Security (Critical)

Pin actions to full commit SHA (not @v1 or @main)
Use minimal permissions block (principle of least privilege)
Never echo secrets or use them in URLs
Use secrets.GITHUB_TOKEN instead of PATs when possible
Audit third-party actions before use
Review expressions (${{ }}) for injection risks; never interpolate untrusted user input
Validate all inputs to reusable workflows and custom actions

Permissions

permissions:
  contents: read  # Minimal by default
  # Add only what's needed:
  # pull-requests: write
  # issues: write

Related skills

More from yldgio/anomaly-codereview

Installs

2

Repository

yldgio/anomaly-…dereview

First Seen

Jan 30, 2026

Security Audits

Gen Agent Trust HubPass