feat: add github-actions-hardening skill

[AmirhosseinHonardoust]

Summary

Adds a new skill, github-actions-hardening, that reviews and hardens GitHub Actions workflow files against the Actions-specific threat model; the class of issues general code scanners and language linters miss because the vulnerability lives in the YAML and in how ${{ }} expressions are expanded into a shell before a step runs.

Why this fills a gap

The repo already has a broad security-review skill (application-code vulnerabilities) and a github-actions-ci-cd-best-practices instructions file (general pipeline structure). Neither focuses on workflow security hardening. This skill covers the high-uplift cases where models otherwise generate insecure defaults:

• Script injection from attacker-controllable ${{ github.event.* }} / github.head_ref values interpolated into run: and actions/github-script steps, with the env: safe-pattern fix.
• pull_request_target / workflow_run privilege escalation, checking out and executing fork code with a write token and secrets, plus the safe two-workflow pattern.
• SHA-pinning third-party actions (mutable tags/branches are a supply-chain risk) and Dependabot for github-actions.
• Least-privilege permissions: scoping and OIDC instead of long-lived cloud secrets.
• GITHUB_ENV / GITHUB_OUTPUT injection, secret hygiene, persist-credentials, and self-hosted runner exposure on public repos.

Structure

SKILL.md plus five references/ files (progressive disclosure), matching the format of existing skills such as security-review.

Validation

• Ran npm start to regenerate the skills index so it includes the new skill.
• npm run skill:validate passes (all skills valid, including github-actions-hardening).

[github-actions]

🟡 Contributor Reputation Check: MEDIUM risk

Check	Risk
Profile	MEDIUM
Credential audit	NONE

Maintainers: please review this contributor before merging.
See the workflow run for full details.
Automated check powered by AGT.

[github-actions]

🔒 PR Risk Scan Results

Scanned 7 changed file(s).

Severity	Count
🔴 High	0
🟠 Medium	1
ℹ️ Info	0

Severity	Rule	File	Line	Match
🟠	package-exec-command	docs/README.skills.md	31	| [acreadiness-assess](../skills/acreadiness-assess/SKILL.md)<br />`gh skills install github/awesome-copilot acreadiness-assess` | Run the AgentRC readiness assessment on the curre

This is an automated soft-gate report. Findings indicate review targets and do not block merge by themselves.

[github-actions]

🔍 Skill Validator Results

⚠️ Warnings or advisories found

Scope	Checked
Skills	1
Agents	0
Total	1

Severity	Count
❌ Errors	0
⚠️ Warnings	1
ℹ️ Advisories	0

Summary

Level	Finding
ℹ️	Found 1 skill(s)
ℹ️	[github-actions-hardening] 📊 github-actions-hardening: 2,281 BPE tokens [chars/4: 2,449] (detailed ✓), 14 sections, 1 code blocks
ℹ️	[github-actions-hardening] ⚠ No numbered workflow steps — agents follow sequenced procedures more reliably.
ℹ️	✅ All checks passed (1 skill(s))

Full validator output

Found 1 skill(s)
[github-actions-hardening] 📊 github-actions-hardening: 2,281 BPE tokens [chars/4: 2,449] (detailed ✓), 14 sections, 1 code blocks
[github-actions-hardening]    ⚠  No numbered workflow steps — agents follow sequenced procedures more reliably.
✅ All checks passed (1 skill(s))

[github-actions]

🟡 Contributor Reputation Check: MEDIUM risk

Check	Risk
Profile	MEDIUM
Credential audit	NONE

Maintainers: please review this contributor before merging.
See the workflow run for full details.
Automated check powered by AGT.