- When using a third-party action (one not hosted in a Google-managed org), a fixed version of the action MUST be used by specifying a specific commit, rather than a branch like "main", or a tagged release, which can be overwritten by any maintainer of the action.
- Docker and GitHub runner images should always be run at a fixed version rather than "latest".
- If an action is granted additional GitHub access (by being passed the GITHUB_TOKEN variable), all main development branches (typically, "main") must use branch protection with "Require pull request reviews before merging" enabled and/or "Restrict who can push to matching branches" limited to repository admins.
workflows
Folders and files
| Name | Name | Last commit date | ||
|---|---|---|---|---|
parent directory.. | ||||