• All actions use composite type (no Docker images that could contain malicious code)
• No external scripts or downloads except from official sources (UV installer)
• All shell commands use proper error handling and validation
• No sensitive data exposure in logs or outputs

• UV automatically manages and updates Python packages to latest secure versions
• GitHub Actions use pinned versions (e.g., actions/checkout@v4)
• No hardcoded versions that could become vulnerable

• All inputs have sensible defaults
• Path inputs are validated before use
• No arbitrary code execution from user inputs
• Shell injection protection via proper quoting

• Actions never log or expose environment variables
• No secrets are hardcoded anywhere in the codebase
• Users must manage their own secrets via GitHub secrets

• Only connects to trusted sources:
  • github.com (for actions)
  • astral.sh (for UV installer - official source)
  • pypi.org (via UV for packages)
• No arbitrary URL downloads

• All critical operations have error handling
• Actions fail safely if dependencies can't be installed
• Clear error messages without exposing sensitive info

• Timeouts on long-running operations
• Artifact retention limits (30 days max)
• Memory and disk usage monitoring

• Actions request minimal permissions
• No write access to repository unless explicitly granted
• Clear documentation of required permissions

• Keep your GitHub repository private if it contains sensitive data
• Use GitHub secrets for API keys and sensitive configuration
• Review and approve all workflow runs in public repositories

• Regularly update your requirements files
• Use dependency scanning tools
• Monitor for security advisories

• Use branch protection rules
• Require reviews for workflow changes
• Monitor workflow runs for unexpected behavior

• MIT License - permissive and business-friendly
• No copyleft restrictions
• Clear attribution requirements

• No telemetry or data collection
• No personal information transmission
• Local processing only

• All code is auditable
• Clear documentation and examples
• Community contribution guidelines

• Report security vulnerabilities via GitHub Security tab
• Do not post security issues publicly
• Provide clear reproduction steps

• Check GitHub Actions logs for error details
• Verify repository permissions and secrets
• Test locally with UV before reporting issues

• Monitor this repository for security updates
• Update your workflows when new versions are released
• Subscribe to release notifications

# Limit permissions to minimum required
permissions:
  contents: read
  pull-requests: write

# Use secrets for sensitive data
env:
  API_KEY: ${{ secrets.API_KEY }}

• Enable Dependabot for dependency updates
• Use branch protection rules
• Enable security alerts

• Update workflow files monthly
• Review and rotate secrets quarterly
• Monitor action usage and performance

This security model ensures that GitHub Actions Simple is safe for public use while providing powerful functionality for data science teams.