GitHub Actions profile 0.1.0

GitHub Actions AI-agent security gate.

A useful gate must control who can start the workflow, what its token can do, which exact action code runs, how untrusted text reaches execution, and when a human must approve the next step.

This profile turns current GitHub guidance into eight testable controls, a SHA-pinned workflow, and a privacy-safe CapitalGuard preview. It is a baseline, not a promise that every workflow is safe.

CapitalGuard Security Research | Version 0.1.0 | Sources checked July 17, 2026

Control profile

Eight checks before an AI-generated change can move forward.

Each control names the failure mode, the required decision, the evidence to retain, and the matching CapitalGuard Standard control.

ControlFailure modeRequired actionEvidence

CG-GHA-001

Authorized repository scope

CGS-AUTH-001

A security workflow can become an unapproved scan of code the operator does not own or control.Record repository authorization and keep the workflow scoped to the repository that triggered the run.authorization-confirmed is explicit and the job does not fetch another private repository.

CG-GHA-002

Trusted trigger boundary

CGS-PRIV-001

An untrusted actor or event can start a privileged workflow before branch rules or review can intervene.Use pull_request for untrusted changes. Restrict or prohibit pull_request_target and manual triggers where organizational execution protections are available.Trigger list, actor policy, event policy, and any evaluated exceptions are retained.

CG-GHA-003

Read-only token

CGS-PRIV-001

A compromised action can inherit repository write authority through GITHUB_TOKEN.Declare permissions at workflow or job level and grant contents: read unless a separately reviewed operation needs more.The workflow contains an explicit minimal permissions block with no implicit write scope.

CG-GHA-004

Immutable action dependencies

CGS-TRACE-001

A mutable tag can later point to different code while the workflow file appears unchanged.Pin every third-party action to a verified full-length commit SHA and record the human-readable release in a comment.All uses references are full 40-character commit SHAs from the intended upstream repositories.

CG-GHA-005

No persisted checkout credential

CGS-SEC-001

A later step can reuse the checkout credential even when that step does not need repository authentication.Set persist-credentials: false and provide a separately scoped credential only to a reviewed step that needs it.Checkout configuration and the absence of later ambient credential use are reviewable in the workflow.

CG-GHA-006

Untrusted input stays data

CGS-INJ-001

Pull request text, branch names, or other attacker-controlled context can become shell code.Pass untrusted context through action inputs or intermediate environment variables, never direct expression expansion inside a generated shell script.Inline run blocks contain no direct executable interpolation of untrusted github context fields.

CG-GHA-007

OIDC is narrow and optional

CGS-ATTEST-001

Identity permissions can be misunderstood as proof that the workflow logic or repository is safe.Grant id-token: write only to the job that requests a signed preview or short-lived credential, validate claims server-side, and remove the permission when unused.The receiving service validates issuer, audience, repository identity, workflow revision, signature, and expiry.

CG-GHA-008

High-impact actions require a second gate

CGS-HUMAN-001

A passing scan can be treated as permission to deploy, publish, rotate credentials, or change production.Keep deployment and secret release in a separate protected environment with required review, restricted branches, and no self-approval where available.Environment protections and the human decision are separate from the scanner result.

Immutable starter workflow

Copy the gate. Review the declarations.

Both actions are pinned to full commit SHAs. Set manual-controls-confirmed to true only after a person has reviewed least privilege and high-impact approval gates. Remove id-token: write when signed preview is disabled.

actions/checkout v6

df4cb1c069e1874edd31b4311f1884172cec0e10

CapitalGuard Action v1

33d6a70d997c67a53f74247f1bdc83dbeb7d9079

.github/workflows/capitalguard.yml

Raw YAML
name: CapitalGuard AI-agent gate

on:
  pull_request:
  push:
    branches: [main]

permissions:
  contents: read
  id-token: write # Remove if signed-preview is false.

jobs:
  capitalguard:
    runs-on: ubuntu-latest
    steps:
      - name: Check out the triggering repository
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
        with:
          persist-credentials: false

      - name: Check AI-agent exposure
        uses: CapitalGuard-Security/capitalguard-action@33d6a70d997c67a53f74247f1bdc83dbeb7d9079 # v1
        with:
          authorization-confirmed: true
          manual-controls-confirmed: true
          fail-on: high
          signed-preview: true
          annotations: false

Evidence chain

Know what each proof actually proves.

Workflow result

Reports the open control outcome and aggregate exposure signals for this run.

Community Guardprint

Binds the aggregate evidence state to SHA-256 without exposing source or secret values.

Signed Preview

Binds a fixed aggregate receipt to verified GitHub workflow identity, expiry, and revocation.

CapitalGuard Verified

Requires a separate licensed, authorized review and an active official registry record.

Primary documentation

Five sources. One explicit interpretation boundary.

CapitalGuard maps current GitHub documentation into a conservative profile. The sources describe GitHub capabilities and recommendations; they do not independently certify this profile or any repository.

SourceControlDocumented boundaryChecked
Secure use referenceLeast privilege and immutable action referencesGitHub recommends read-only repository contents as the default GITHUB_TOKEN permission and states that a full-length commit SHA is the only immutable way to reference an action release.2026-07-17
Script injectionsUntrusted workflow inputGitHub documents that pull request titles, bodies, branch names, labels, and other context fields can contain attacker-controlled text and must not flow directly into executable scripts.2026-07-17
OpenID ConnectShort-lived workflow identityGitHub documents OIDC as a way for a workflow to request short-lived, scoped identity rather than storing a long-lived cloud credential, while trust still depends on validating claims and policy.2026-07-17
Deployments and environmentsHuman approval and secret releaseGitHub environments can require reviewers, restrict deployment branches, and withhold environment secrets until protection rules pass; availability and behavior vary by repository visibility and plan.2026-07-17
Workflow execution protectionsActor and event authorizationGitHub's public-preview execution protections can restrict which actors and events start workflows, including controls for pull_request_target and workflow_dispatch, but preview features require current-plan verification.2026-07-17

Claim boundary

What this profile does not prove.

This profile does not prove that an AI agent, workflow, runner, dependency, or repository is safe.

The public CapitalGuard Action reports aggregate exposure signals. It intentionally withholds exact affected paths, proprietary scoring, prevention assets, and CapitalGuard Verified status.

A signed preview proves the integrity and GitHub workflow identity of a fixed aggregate evidence receipt. It does not certify the repository or replace an authorized review.

GitHub plan availability, repository visibility rules, public-preview features, and product behavior can change. Re-check the cited GitHub documentation before enforcement.

Processes launched outside the workflow, compromised runners or hosts, and external systems outside the declared scope remain separate security boundaries.

When aggregate signals are not enough

Unlock exact paths, prevention order, and official review.

The public gate is deliberately limited. A CapitalGuard license adds the authorized reporting, preventive assets, and verification workflow promised by the selected plan.

Open Licensed Path

Method: direct GitHub documentation and immutable public action references, checked July 17, 2026. Material corrections create a new version and retain prior release files instead of silently replacing them.