# Pathrule Pattern: GitHub Actions CI/CD (1.0.0) # ::pathrule:package:github-actions-cicd ### [RULE] Least-privilege GITHUB_TOKEN by default (path: /.github/workflows) Every workflow must set explicit `permissions` instead of relying on the default read/write `GITHUB_TOKEN`. - Set `permissions: {}` (or `contents: read`) at the workflow top level as a default-deny baseline. - Grant scopes only on the individual jobs that need them, e.g. `packages: write` on the publish job only. - Add `id-token: write` strictly on jobs that request an OIDC token, never workflow-wide. - Set a `concurrency` group with `cancel-in-progress: true` so stale runs cannot push or deploy. --- ### [RULE] Pin every action to a full commit SHA (path: /.github/workflows) Reference every `uses:` action by a full-length 40-character commit SHA, with the human-readable version in a trailing comment. - Write `uses: actions/checkout@ # v6.0.0`, not `actions/checkout@v6` or `@main`. - Pinning a mutable tag lets an upstream maintainer or attacker swap code under your runner with write access. - First-party `actions/*` may pin to the major tag only if org policy allows it; all third-party and marketplace actions must be SHA-pinned. - Keep pins current with a tool like Dependabot or `pin-github-action` so you get patched SHAs, not stale ones. --- ### [MEMORY] Current GitHub Actions stack and caching defaults (2026) (path: /.github/workflows) These are the current stable building blocks for our pipelines as of mid-2026; do not downgrade them when editing workflows. - Core actions: `actions/checkout@v6`, `actions/setup-node@v6`, `actions/cache@v5` (cache runs on Node 24 and needs runner >= 2.327.1). - Prefer the built-in cache of `setup-node` (`cache: 'npm'`) over a manual `actions/cache` step for dependency restore. - Reserve standalone `actions/cache` for build outputs (Turbo, Next, Playwright browsers) keyed on a lockfile hash with a partial `restore-keys` fallback. - Test across versions with a matrix, e.g. `strategy.matrix.node: [20, 22, 24]`, and gate merges on the matrix job. --- ### [MEMORY] Keyless deploys via OIDC, not stored secrets (path: /.github/workflows) Production deploys use OpenID Connect to mint short-lived, identity-bound cloud credentials instead of long-lived access keys in repo secrets. - The deploy job sets `permissions: id-token: write` plus `contents: read`, then calls `aws-actions/configure-aws-credentials@v6` with `role-to-assume` (no `aws-access-key-id`). - The cloud-side trust policy restricts `sub` to our specific repo, branch, or environment (e.g. `repo:org/app:ref:refs/heads/main`) so other repos cannot assume the role. - Bind deploys to a protected GitHub Environment with required reviewers; environment secrets are exposed only to that job. - See /.github/workflows for the least-privilege token and SHA-pinning rules that apply to the same files. --- ### [SKILL] github-actions-cicd-review (path: /) --- name: github-actions-cicd-review description: Review checklist for GitHub Actions CI/CD workflows covering least-privilege tokens, SHA-pinned actions, OIDC deploys, caching, and matrix builds. Use when creating or editing any file under .github/workflows. --- # GitHub Actions CI/CD review - [ ] Workflow declares a top-level `permissions:` block that is default-deny (`{}` or `contents: read`). - [ ] Write scopes (`packages`, `contents`, `id-token`, etc.) are granted per job, not workflow-wide. - [ ] Every `uses:` references a full 40-char commit SHA with a `# vX.Y.Z` comment, no `@main` or floating tags. - [ ] Action versions are current: `checkout@v6`, `setup-node@v6`, `cache@v5` or newer. - [ ] Dependency caching is enabled (`setup-node` `cache: 'npm'` or a lockfile-keyed `actions/cache`). - [ ] Build matrix covers the supported runtime versions and merge protection requires the matrix job. - [ ] Cloud deploys use OIDC (`id-token: write` + `role-to-assume`), with no long-lived keys in secrets. - [ ] OIDC trust policy / `sub` claim is scoped to this repo and branch or environment. - [ ] Deploy jobs target a protected GitHub Environment with required reviewers. - [ ] A `concurrency` group with `cancel-in-progress: true` prevents overlapping deploy runs. - [ ] `pull_request_target` and untrusted-input `run:` steps are avoided or carefully sandboxed.