Practice & Assessment
Test your understanding of Security and Best Practices
Multiple Choice Questions
5What is the safe way to use github.event.pull_request.title in a run step?
Why does SHA pinning provide stronger security than version tag pinning?
You set permissions: contents: read at the workflow level. What is the effective permission for packages?
actionlint is integrated into CI triggered on pushes to .github/workflows/**. A push changes only README.md. Does actionlint run?
A developer rotates a leaked API key in GitHub Secrets but does not revoke it at the API provider. Is the system secure?
Coding Challenges
1Harden an Existing Workflow
Take a provided insecure workflow file that contains: a run step using ${{ github.event.pull_request.title }} directly, third-party actions pinned to version tags (@v3, @v2), and no permissions block. Your task: (1) fix the script injection vulnerability using the env variable pattern, (2) pin all actions to their current commit SHAs (look up the SHA for each action version on GitHub), (3) add a permissions block with only the required scopes (contents: read), (4) add a Dependabot config at .github/dependabot.yml to keep action SHAs updated weekly. Verify the hardened workflow passes actionlint by running it locally or via the rhysd/actionlint action. Estimated time: 25 minutes.
Mini Project
Secure CI/CD Pipeline Audit and Hardening
Start with a provided multi-job workflow that deploys a Node.js app. The workflow has several deliberate security issues: direct use of github.event context in run steps, version tag pinning on all actions, a permissions: write-all declaration, no Dependabot config, and no workflow linting. Your task is to fully harden it: (1) Fix all script injection vulnerabilities using the env variable pattern. (2) Pin every action to its current SHA with a version comment. (3) Replace permissions: write-all with minimum per-job permissions declarations. (4) Add a separate actionlint workflow that runs on push to .github/workflows/**. (5) Add Dependabot config for weekly action updates. (6) Add concurrency control with cancel-in-progress: true for PR branches but without it for the main branch deployment job. Document each change in a PR description explaining the security issue it fixes. The PR must show a green actionlint check before merge.