laurentsimon

> * Look for git tags to check for releases and ensure that these tags are signed/verified. Not clear this how much improvement this is. Tags are in the commit...

Thinking of broadening this check to "Dangerous workflow coding patterns": 1. ~~dangerous events: `pull_request_target`. In particular, it should not checkout untrusted code, e.g. using [with ref](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/). Examples of uses [here](https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md).~~...

related link https://securitylab.github.com/advisories/GHSL-2020-328-GoogleCloudPlatform-microservices-demo-workflow/

Thanks for the information, that's super useful. If someone in your team is interested in taking a stab at this, please let me know.

Added a few more bad things to the list after reading https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

part 3 https://securitylab.github.com/research/github-actions-building-blocks/

You sure can! I think we can start it as a different check first. We can merge them later. I've assigned to you. Thanks you! Since it's a pretty comprehensive...

Let's try to do 5 and 8. They are fairly simple. Adding to v5 milestone. wdut? We can try to share the workload if needed.

That's an amazing find. Thanks @calebbrown for letting us know!

I'll take a stab at 5.