[plan] Document GitHub Actions security practices #7996
Description
Objective
Create comprehensive security documentation to formalize and communicate GitHub Actions security best practices to contributors.
Context
The repository demonstrates excellent security practices (99.9% action pinning, minimal permissions model, etc.) but lacks formal documentation of these practices. Documentation will help maintain security standards as the project grows.
Approach
Step 1: Create SECURITY.md
Add a security policy document covering:
- Action pinning policy (all actions must be pinned to SHA)
- Reporting security vulnerabilities
- Security update process
- Supported versions
Step 2: Update CONTRIBUTING.md
Add a "Workflow Security Guidelines" section covering:
## Workflow Security Guidelines
When contributing workflows:
1. **Always pin actions to commit SHA**
- ✅ `uses: actions/checkout@abc123def789 # v4.0.0`
- ❌ `uses: actions/checkout@v4`
2. **Use minimal permissions**
- Declare empty permissions at workflow level
- Grant minimal permissions at job level
3. **Avoid dangerous triggers**
- Be cautious with pull_request_target
- Validate all external inputs
4. **Vet third-party actions**
- Only use actions from trusted sources
- Review action source code when possibleStep 3: Create docs/security-practices.md
Detailed security documentation covering:
- Why we pin actions to SHAs
- Permission model explanation
- Third-party action vetting process
- Security monitoring procedures
- How to respond to security findings
Step 4: Update AGENTS.md
Add reference to security documentation:
## Security Best Practices
See [SECURITY.md](SECURITY.md) for:
- Security policy and vulnerability reporting
- Workflow security guidelines
- Action pinning requirementsFiles to Create/Modify
- Create:
SECURITY.md - Update:
CONTRIBUTING.md - Create:
docs/security-practices.md - Update:
AGENTS.md
Acceptance Criteria
- SECURITY.md created with vulnerability reporting process
- CONTRIBUTING.md includes workflow security guidelines
- docs/security-practices.md provides detailed security guidance
- AGENTS.md references security documentation
- Documentation reviewed for completeness and clarity
- Examples include both ✅ correct and ❌ incorrect patterns
Estimated Effort
2-3 hours
Related to #7992
AI generated by Plan Command for discussion #7983