...

The Apache Infrastructure GitHub Actions Policy has the formal rules around the use of GitHub actions. The content below is intended to be more practical advice.

IMPORTANT! You should enable CodeQL "actions" scanning in your repositories as described in  https://github.blog/security/application-security/how-to-secure-your-github-actions-workflows-with-codeql/  - this will scan and flag those issues described below and many more automatically for you

Threat model

We're trying to protect:

...