secure_workflows.yml

name: Lockdown untrusted workflows

# PROCESS
#
# 1. Scans for any external GitHub Action being used without version pinning (@<commit-sha> vs @v3)
# 2. Scans for insecure practices for inline bash scripts (shellcheck)
# 3. Fail CI and prevent PRs to be merged if any malpractice is found

# USAGE
#
# Always triggered on new PR, PR changes and PR merge.

on:
  push:
    paths:
      - ".github/workflows/**"
  pull_request:
    paths:
      - ".github/workflows/**"

permissions:
  contents: read

jobs:
  enforce_pinned_workflows:
    name: Harden Security
    if: github.repository_owner == 'aws-samples'
    runs-on: ubuntu-latest
    permissions:
      contents: read  # checkout code and subsequently GitHub action workflows
    steps:
      - name: Checkout code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
      - name: Ensure 3rd party workflows have SHA pinned
        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@64418826697dcd77c93a8e4a1f7601a1942e57b5 # v3.0.18