GitHub Actions动作版本治理（uses@sha-pin-权限）最佳实践

核心要点动作必须使用不可变 `@<sha>` 固定；禁止 `@vX` 与 `@main`。最小权限与受控密钥；工作流仅启用必要的 `permissions`。实现示例type Step = { uses?: string; with?: Record<string, string>; permissions?: Record<string, 'read' | 'write'> } function pinned(uses?: string): boolean { if (!uses) return false const m = /@[a-f0-9]{40}$/i.exec(uses) return !!m } function validPerms(perms?: Record<string, 'read' | 'write'>): boolean { if (!perms) return true const deny = ['admin'] for (const k of Object.keys(perms)) if (deny.includes(k)) return false return true } function evaluate(steps: Step[]): { ok: boolean; errors: string[] } { const errors: string[] = [] for (const s of steps) { if (s.uses && !pinned(s.uses)) errors.push(`unpin:${s.uses}`) if (!validPerms(s.permissions)) errors.push('permissions') } return { ok: errors.length === 0, errors } } 审计与CI门禁构建前校验所有 `uses` 是否 `@<sha>` 固定；不合规阻断。审计记录包含动作名称、固定版本与权限摘要，支持回溯。