Skip to content

GitHub Actions — Checklist

OWNER: alex, tjitte
ALSO_USED_BY: leon, marta, iwona
LAST_VERIFIED: 2026-03-26
GE_STACK_VERSION: GitHub Actions (github-hosted runners, ubuntu-latest)

NEW WORKFLOW CHECKLIST

  • [ ] CHECK: Workflow has permissions block with minimum required permissions
    IF_SKIPPED: workflow runs with repository default (potentially write-all)
    ADDED_FROM: security-audit-2026-02
  • [ ] CHECK: All third-party actions pinned to full commit SHA with version comment
    IF_SKIPPED: supply chain attack risk — mutable tags can be overwritten
  • [ ] CHECK: Concurrency group configured
    IF_SKIPPED: duplicate runs waste runner minutes, race conditions
    ADDED_FROM: partial-deploy-2026-02
  • [ ] CHECK: timeout-minutes set on every job
    IF_SKIPPED: hung jobs consume runner minutes indefinitely
  • [ ] CHECK: User-controlled inputs passed via env:, not interpolated in run:
    IF_SKIPPED: expression injection vulnerability
    ADDED_FROM: security-audit-2026-02
  • [ ] CHECK: pull_request trigger used (not pull_request_target)
    IF_SKIPPED: fork PRs can exfiltrate secrets
    ADDED_FROM: security-review-2026-01

CACHING CHECKLIST

  • [ ] CHECK: Node modules cached with pnpm-lock.yaml hash as key
    IF_SKIPPED: 3-5 minutes wasted per run on dependency install
  • [ ] CHECK: Docker layers cached with cache-from: type=gha
    IF_SKIPPED: full image rebuild every run
  • [ ] CHECK: Python pip cached with requirements.txt hash as key
    IF_SKIPPED: slow pip install on every run
  • [ ] CHECK: Cache keys are stable (lockfile hash, not commit SHA)
    IF_SKIPPED: cache evicted every run, no benefit
    ADDED_FROM: billing-spike-2026-03

DEPLOYMENT WORKFLOW CHECKLIST

  • [ ] CHECK: Environment protection rules configured (reviewers, branch restriction)
    IF_SKIPPED: anyone can deploy to production
  • [ ] CHECK: cancel-in-progress: false on deployment concurrency group
    IF_SKIPPED: cancelled mid-deploy leaves infrastructure half-updated
    ADDED_FROM: partial-deploy-2026-02
  • [ ] CHECK: OIDC used for cloud authentication (no long-lived secrets)
    IF_SKIPPED: credential rotation burden, leak risk
  • [ ] CHECK: Deploy job has if: github.ref == 'refs/heads/main' guard
    IF_SKIPPED: accidental deployment from feature branch
  • [ ] CHECK: Production deploy requires 2 reviewers (rutger + arjan)
    IF_SKIPPED: unreviewed production changes
  • [ ] CHECK: Deployment URL set in environment config for audit trail
    IF_SKIPPED: no link from workflow run to deployed service

SECURITY CHECKLIST

  • [ ] CHECK: Dependabot configured for github-actions ecosystem
    IF_SKIPPED: pinned action SHAs never updated, miss security patches
  • [ ] CHECK: New third-party actions reviewed by alex or tjitte before use
    IF_SKIPPED: unvetted code runs in CI with access to secrets
  • [ ] CHECK: Repository default token permissions set to read
    IF_SKIPPED: all workflows get write access by default
  • [ ] CHECK: Secrets are minimum 8 characters
    IF_SKIPPED: short secrets may not be masked in logs
    ADDED_FROM: secret-leak-2026-02
  • [ ] CHECK: Multiline secrets have each line masked individually
    IF_SKIPPED: lines after first are visible in logs
    ADDED_FROM: secret-leak-2026-02

CROSS-REFERENCES

READ_ALSO: wiki/docs/stack/github-actions/index.md
READ_ALSO: wiki/docs/stack/github-actions/patterns.md
READ_ALSO: wiki/docs/stack/github-actions/security.md
READ_ALSO: wiki/docs/stack/github-actions/pitfalls.md