> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-5 — All GitHub Actions and reusable workflows are allowed

> No allowlist on third-party actions. Maximises supply-chain blast radius.

| Field    | Value                    |
| -------- | ------------------------ |
| Category | `CICD-SEC-5`             |
| Severity | MEDIUM                   |
| Auto-fix | ✗                        |
| Source   | Repository configuration |

## What the check does

Reads `GET /repos/{owner}/{repo}/actions/permissions`. Fires when `allowed_actions` is `"all"` and Actions is enabled.

## Why it matters

When all marketplace actions are allowed, any of them can run in your CI — including actions that:

* Were published yesterday and have one star.
* Were recently transferred to a different (potentially attacker-controlled) account.
* Have been compromised at the publisher level (see the tj-actions/changed-files incident from 2025).

Pinning to a SHA ([CICD-SEC-3](/rules/cicd-sec-3)) protects against an action being mutated under your feet, but it doesn't prevent a *new* malicious action from being introduced in a future PR. An allowlist provides defense in depth at the policy level.

## How to fix

Settings → Actions → General → **Actions permissions** → select either:

* **Allow `{owner}`, and select non-`{owner}`, actions and reusable workflows** — most useful for orgs. Curate a list of trusted publishers (e.g., `actions/*`, `github/*`, your common third-party packages) and require approval for additions.
* **Allow `{owner}` actions and reusable workflows** — strictest option; only first-party actions can run.

For broader org-wide allowlists, configure the same setting at the organization level under **Organization settings → Actions**.
