The March 2025 tj-actions incident where 23,000 repos had their secrets exposed through one compromised Action stuck with me. Here are the 7 specific things that would have prevented it.

1. Pin Actions to commit SHAs not tags

A tag like u/v4 can be silently moved to malicious code.

A SHA cannot be faked. This one change protected every team that had done it during CVE-2025-30066.

2. Use OIDC instead of stored secrets

Long lived credentials stay valid until manually rotated.

OIDC tokens expire when the job ends. Nothing to steal.

3. Lock down GITHUB_TOKEN permissions

Add permissions: {} at the top of every workflow and grant each job only what it specifically needs.

4. Treat workflow files like production code

Use CODEOWNERS to require security team review on every .github/workflows/ change before it merges.

5. Scan with Zizmor

pip install zizmor && zizmor .github/workflows/ Catches dangerous pull_request_target configs and script injection risks automatically. Free and takes 2 minutes.

6. Mirror critical Actions into your own org

Fork the Actions you depend on so you are not trusting a stranger's account security.

7. Enforce environment gates

Even a compromised workflow needs human approval before reaching production. That pause catches anomalies.

I wrote a full breakdown with before and after YAML examples for each technique here if anyone needs.

Happy to answer questions in the comments.