How to review GitHub Actions workflows

Greg Foster
Greg Foster
Graphite software engineer
Try Graphite

Table of contents

GitHub Actions workflows are chains of automated steps (jobs, runners, steps) triggered by GitHub events like push or pull_request that automate building, testing, deploying, and more. Each GitHub Actions workflow is defined in a YAML file stored in .github/workflows/*.yml.

Reviewing your GitHub Actions workflows is essential for security and reliability—these automation pipelines can leak secrets, introduce vulnerabilities from third‑party actions, and become attack vectors through supply‑chain exploits. Auditors recommend regularly inspecting secrets handling, permission scopes, workflow triggers (especially pull_request_target), and pinning action versions to prevent malicious updates. Beyond security, workflow review also ensures maintainability—CI logic evolves fast, and unloved workflows accrue technical debt, requiring fixes, refactoring, and dependency updates. Investing in routine reviews elevates your CI/CD posture, reduces hidden maintenance costs, and safeguards your code from both mistakes and malicious tampering.

  • Before merging changes to workflow files.
  • Regularly for existing workflows.
  • When adding third‑party actions.
  • After GitHub updates Actions features or deprecates behaviors.

Verify events and branch filters are precise—avoid broad triggers like push on all branches unless needed.

Set permissions: explicitly on GITHUB_TOKEN and restrict as much as possible, especially for forked pull requests to avoid secret leaks.

Ensure secrets aren't hard‑coded, logs don't leak them, and consider using OIDC over static tokens for third‑party access.

Use only verified or self‑hosted actions. Always pin to exact tags or SHA (never @master), and consider forking untrusted actions after reviewing them.

Check that runners are minimal, hardened, and have limited network egress. Use self‑hosted or hardened runner tooling when needed.

Apply job timeouts, avoid runaway builds, use caching or external storage instead of large artifacts, and add logging or notifications.

Run workflows with both valid and invalid inputs, examine logs for unexpected behavior or secret leakage.

AreaReview questions
TriggersIs the event filter precise?
Permissions/tokenIs token scope minimal and fork-safe?
ActionsAre all actions pinned, trusted, or self-hosted?
SecretsAny secrets exposed? Are they OIDC-based?
Runner/envIs runner hardened and network-limited?
Artifacts/timeoutsAre artifacts and timeouts properly managed?
Logs/monitoringAre logs clean and notifications set?
  • Enforce precise triggers and scope GITHUB_TOKEN tightly
  • Only use pinned, trusted actions and review forks
  • Manage secrets safely and consider OIDC
  • Harden runner environments and control artifacts
  • Set clear timeouts, caching, logging, and notifications

Graphite enhances your workflow reviews through its stacked‑PR model and AI‑powered reviewer Diamond. It integrates with GitHub to break changes, including CI workflows, into small incremental PRs. Diamond provides contextual analysis and actionable feedback on PRs (including CI changes), spotting bugs and misconfigurations quickly. This supports best practices for GitHub Action reviews by enabling fast, precise, AI-augmented audits.

Review GitHub Actions workflows systematically by auditing triggers, tokens, actions, secrets, runners, timeouts, artifacts, and logs. Also be sure to combine manual review with an AI code reviewer like Graphite's Diamond to help keep your workflows more secure, maintainable, and efficient.

Built for the world's fastest engineering teams, now available for everyone