GitHub Actions Self-Hosted Risk Audit
Use this skill to flag risky workflow patterns when jobs run on self-hosted GitHub Actions runners.
What this skill does
- - Scans workflow YAML files (
.github/workflows/*.yml by default) - Detects workflows that reference
self-hosted runners - Flags high-risk trigger combinations (
pull_request_target, pull_request, issue_comment) - Flags broad/self-hosted-only runner selection (no extra routing labels)
- Flags workflows with write-capable permissions in self-hosted contexts
- Flags
actions/checkout steps that do not set �INLINECODE6 - Supports text/json output and CI fail gate
Inputs
Optional:
- -
WORKFLOW_GLOB (default: .github/workflows/*.y*ml) - INLINECODE9� (default:
20) - INLINECODE11� (
text or json, default: text) - INLINECODE15� (default:
4) - INLINECODE17� (default:
8) - INLINECODE19� /
WORKFLOW_FILE_EXCLUDE (regex, optional) - INLINECODE21� (
0 or 1, default: 0)
Run
Text report:
CODEBLOCK0
JSON output + fail gate:
CODEBLOCK1
Run against bundled fixtures:
CODEBLOCK2
Output contract
- - Exit
0 in reporting mode (default) - Exit
1 when FAIL_ON_CRITICAL=1 and one or more workflows are critical - Text mode prints summary + top flagged workflows
- JSON mode prints summary + flagged workflows + critical workflows
GitHub Actions 自托管风险审计
使用此技能来标记在自托管 GitHub Actions 运行器上执行作业时的风险工作流模式。
此技能的功能
- - 扫描工作流 YAML 文件(默认路径为 .github/workflows/*.yml)
- 检测引用 self-hosted 运行器的工作流
- 标记高风险触发器组合(pullrequesttarget、pullrequest、issuecomment)
- 标记宽泛/仅自托管运行器选择(无额外路由标签)
- 标记在自托管上下文中具有写入权限的工作流
- 标记未设置 persist-credentials: false 的 actions/checkout 步骤
- 支持文本/JSON 输出和 CI 失败门控
输入参数
可选参数:
- - WORKFLOWGLOB(默认值:.github/workflows/.yml)
- TOPN(默认值:20)
- OUTPUTFORMAT(text 或 json,默认值:text)
- WARNSCORE(默认值:4)
- CRITICALSCORE(默认值:8)
- WORKFLOWFILEMATCH / WORKFLOWFILEEXCLUDE(正则表达式,可选)
- FAILON_CRITICAL(0 或 1,默认值:0)
运行
文本报告:
bash
WORKFLOW_GLOB=.github/workflows/*.yml \
WARN_SCORE=4 \
CRITICAL_SCORE=8 \
bash skills/github-actions-self-hosted-risk-audit/scripts/self-hosted-risk-audit.sh
JSON 输出 + 失败门控:
bash
WORKFLOW_GLOB=.github/workflows/.yml \
OUTPUT_FORMAT=json \
FAILONCRITICAL=1 \
bash skills/github-actions-self-hosted-risk-audit/scripts/self-hosted-risk-audit.sh
针对捆绑的测试用例运行:
bash
WORKFLOW_GLOB=skills/github-actions-self-hosted-risk-audit/fixtures/.yml \
bash skills/github-actions-self-hosted-risk-audit/scripts/self-hosted-risk-audit.sh
输出约定
- - 报告模式下退出码为 0(默认)
- 当 FAILONCRITICAL=1 且存在一个或多个关键工作流时,退出码为 1
- 文本模式输出摘要 + 标记的顶级工作流
- JSON 模式输出摘要 + 标记的工作流 + 关键工作流
