Third-Party Action Risk - CI/CD Glossary Definition
Third-party action risk is the danger that an external action you call could steal secrets or tamper with your build.
Third-party action risk is the supply-chain exposure from using actions you do not control, since a compromised or malicious action runs with your workflow token and secrets.
Mitigations include pinning to a SHA, reviewing the action source, restricting GITHUB_TOKEN permissions, and limiting which actions a repository is allowed to run.
Related guides
Pinned Action SHA - CI/CD Glossary DefinitionPinned Action SHA: A pinned action SHA is referencing an action by its full 40-character commit hash (for exa…
Immutable Action - CI/CD Glossary DefinitionImmutable Action: An immutable action is a published action version that cannot be changed after release, so…
Least-Privilege Token - CI/CD Glossary DefinitionLeast-Privilege Token: A least-privilege token is a credential granted only the minimum scopes required for a…