docs: security hardening info for actions untrusted content

[wrslatz]

Why:

The Security hardening for GitHub Actions documentation currently has no content or recommendations covering untrusted contents being checked out and executed in Actions workflow runs. Someone recently shared the Grafana GitHub Actions Security Incident write up from StepSecurity and I went to share the hardening guide with them only to not find any recommendations covering this case. I did share https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ with them, but this was harder to find since it is not in the GitHub docs. I expected this security issue to be covered in the docs since untrusted input and third-party Actions, which have similar implications, are covered in the same docs already.

What's being changed (if available, include any code snippets, screenshots, or gifs):

Document the risks and recommended hardening mitigations for untrusted content being checked out and executed in GitHub Actions pull requests.

Check off the following:

• A subject matter expert (SME) has reviewed the technical accuracy of the content in this PR. In most cases, the author can be the SME. Open source contributions may require an SME review from GitHub staff.
• The changes in this PR meet the docs fundamentals that are required for all content.
• All CI checks are passing and the changes look good in the review environment.

[github-actions]

How to review these changes 👓

Thank you for your contribution. To review these changes, choose one of the following options:

• Spin up a codespace
• Set up a local development environment

A Hubber will need to deploy your changes internally to review.

Table of review links

Note: Please update the URL for your staging server or codespace.

The table shows the files in the content directory that were changed in this pull request. This helps you review your changes on a staging server. Changes to the data directory are not included in this table.

Source	Review	Production	What Changed
actions/reference/security/secure-use.md	fpt ghec ghes@ 3.17 3.16 3.15 3.14	fpt ghec ghes@ 3.17 3.16 3.15 3.14
actions/reference/workflows-and-actions/events-that-trigger-workflows.md	fpt ghec ghes@ 3.17 3.16 3.15 3.14	fpt ghec ghes@ 3.17 3.16 3.15 3.14
enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md	ghec	ghec

Key: fpt: Free, Pro, Team; ghec: GitHub Enterprise Cloud; ghes: GitHub Enterprise Server

🤖 This comment is automatically generated.

[github-actions]

Thanks for opening a pull request! We've triaged this issue for technical review by a subject matter expert 👀

[github-actions]

This is a gentle bump for the docs team that this PR is waiting for technical review.

[Sharra-writes]

@wrslatz Sorry this took a while! I think I talked to most of the Actions teams before I found the one I needed to get the SME review. I'm referring it to our writers to review for style now. Thank you for being patient.

[wrslatz]

@wrslatz Sorry this took a while! I think I talked to most of the Actions teams before I found the one I needed to get the SME review. I'm referring it to our writers to review for style now. Thank you for being patient.

Thanks, @Sharra-writes !

[wrslatz]

I found an additional section of the docs that need an update related to this change. Pushing that up shortly.

[wrslatz]

@Sharra-writes @JarLob I found additional content in enterprise guidance that I updated in f471511. Let me know what you think.

[Sharra-writes]

@wrslatz We're doing some work on the organization of Actions articles, so the team asked me to put this on hold on our review board until that's finished, but hopefully that will give you time to get another review from the security folks, since the writing review needs to be the final thing once we know the information is correct.

[Sharra-writes]

@wrslatz Hey, so, my teammate advised massively cutting down the warnings, because our experience with documentation tells us that people don't properly read long warnings and sometimes miss the DO NOT DO THIS we want them to see.

I picked out what I thought was the punchiest and most expressive sentence from the warnings, but this isn't my area of expertise. Do you think the sentence I picked represents the primary threat we're trying to warn against, or would you choose a different one/word it differently for better accuracy?

[wrslatz]

@wrslatz Hey, so, my teammate advised massively cutting down the warnings, because our experience with documentation tells us that people don't properly read long warnings and sometimes miss the DO NOT DO THIS we want them to see.

I picked out what I thought was the punchiest and most expressive sentence from the warnings, but this isn't my area of expertise. Do you think the sentence I picked represents the primary threat we're trying to warn against, or would you choose a different one/word it differently for better accuracy?

@Sharra-writes I did a quick scan and I think this still looks good and meets the objective while linking to specific details. I'll defer to security experts whether it provides sufficient guidance while remaining brief. The main question I have is how important it is to call out the specific permissions granted (write) and access risks (reading secrets) to understand the potential impact.

[subatoi]

Many thanks @wrslatz for writing this up and for your patience 🙏 , and thanks also to @Sharra-writes for all the edits so far and coordinating this ✏️

I've made a few additional comments and suggestions, and have two questions within those; I'm happy to follow up on anything I've written. I've also commented and in one or two cases made very minor link-based edits to Sharra's suggestions. Theoretically, applying all the outstanding suggestions should resolve the CI failures, too 🤞

I'd also just like to provide some context as to why reviewing this has been a little challenging. It's clear that we need to work on improving this article's readability, and we've recently reorganised a lot of the Actions content. As a general rule, we always try to apply current best-practice thinking to new reviews, but unfortunately some of the content in this article as it's currently written doesn't always adhere to our current best practices. Thank you for your patience with it!

Once we've resolved these outstanding points, I'll be happy to take a final look and then I think we'll be good to go ahead and merge this, thank you! ▶️