Skip to content

SECURITY.md

Latest commit

 

History

History
146 lines (98 loc) · 3.72 KB

SECURITY.md

File metadata and controls

146 lines (98 loc) · 3.72 KB

Security and Safety Guidelines for GitHub Actions Simple

Security Measures Implemented

1. Action Security

  • All actions use composite type (no Docker images that could contain malicious code)
  • No external scripts or downloads except from official sources (UV installer)
  • All shell commands use proper error handling and validation
  • No sensitive data exposure in logs or outputs

2. Version Management

  • UV automatically manages and updates Python packages to latest secure versions
  • GitHub Actions use pinned versions (e.g., actions/checkout@v4)
  • No hardcoded versions that could become vulnerable

3. Input Validation

  • All inputs have sensible defaults
  • Path inputs are validated before use
  • No arbitrary code execution from user inputs
  • Shell injection protection via proper quoting

4. Secrets Protection

  • Actions never log or expose environment variables
  • No secrets are hardcoded anywhere in the codebase
  • Users must manage their own secrets via GitHub secrets

5. Network Security

  • Only connects to trusted sources:
    • github.com (for actions)
    • astral.sh (for UV installer - official source)
    • pypi.org (via UV for packages)
  • No arbitrary URL downloads

Safety Features

1. Error Handling

  • All critical operations have error handling
  • Actions fail safely if dependencies can't be installed
  • Clear error messages without exposing sensitive info

2. Resource Protection

  • Timeouts on long-running operations
  • Artifact retention limits (30 days max)
  • Memory and disk usage monitoring

3. Permission Model

  • Actions request minimal permissions
  • No write access to repository unless explicitly granted
  • Clear documentation of required permissions

User Safety Guidelines

1. Repository Setup

  • Keep your GitHub repository private if it contains sensitive data
  • Use GitHub secrets for API keys and sensitive configuration
  • Review and approve all workflow runs in public repositories

2. Dependencies

  • Regularly update your requirements files
  • Use dependency scanning tools
  • Monitor for security advisories

3. Workflow Security

  • Use branch protection rules
  • Require reviews for workflow changes
  • Monitor workflow runs for unexpected behavior

Compliance

1. Licensing

  • MIT License - permissive and business-friendly
  • No copyleft restrictions
  • Clear attribution requirements

2. Data Privacy

  • No telemetry or data collection
  • No personal information transmission
  • Local processing only

3. Open Source Best Practices

  • All code is auditable
  • Clear documentation and examples
  • Community contribution guidelines

Emergency Procedures

1. Security Issues

  • Report security vulnerabilities via GitHub Security tab
  • Do not post security issues publicly
  • Provide clear reproduction steps

2. Action Failures

  • Check GitHub Actions logs for error details
  • Verify repository permissions and secrets
  • Test locally with UV before reporting issues

3. Updates and Patches

  • Monitor this repository for security updates
  • Update your workflows when new versions are released
  • Subscribe to release notifications

Recommended Security Practices

1. Workflow Configuration

# Limit permissions to minimum required
permissions:
  contents: read
  pull-requests: write

# Use secrets for sensitive data
env:
  API_KEY: ${{ secrets.API_KEY }}

2. Repository Security

  • Enable Dependabot for dependency updates
  • Use branch protection rules
  • Enable security alerts

3. Regular Maintenance

  • Update workflow files monthly
  • Review and rotate secrets quarterly
  • Monitor action usage and performance

This security model ensures that GitHub Actions Simple is safe for public use while providing powerful functionality for data science teams.