Workflow Security

The IssueOps model makes heavy use of the issue and issue_commenttriggers in GitHub Actions workflows.

1on:
2  issue_comment:
3    types:
4      - created

These triggers will only act on workflow files in the default branch of your repository. This means that pull requests cannot introduce changes to your IssueOps workflows that would be run as part of that PR (e.g. creating a workflow that dumps secrets to the logs). Any changes to the workflow files can be protected with branch protection rules to ensure only verified changes make it into your default branch.

Workflow permissions

To further harden your workflow files, you should always restrict them to the base permissions needed to run. For information about the available permissions, see Assigning permissions to jobs.Permissions can be assigned for the entire workflow, as well as for individual jobs. If one job needs additional permissions, make sure to scope them to that job only.