Secure and optimize automation Questions

What is the most secure way to reference a third-party action in a workflow?

A workflow author wants to run a step only when a secret exists. What should they do?

What does setting permissions: {} in a workflow do to GITHUB_TOKEN scopes?

A security team wants cloud trust policies to evaluate repository metadata such as business unit. What GitHub Actions OIDC feature supports that?

A workflow from a forked repository needs broader token access. What can the permissions key usually do?

Which pair matches GitHub's default OIDC issuer and default audience?

Why is storing access tokens inside cached files a bad practice?

A workflow sets permissions so that issues is write and pull-requests is write. What happens to other available permissions?

How long can GITHUB_TOKEN remain valid for a single job?

A workflow author writes a step condition that compares secrets.DEPLOY_KEY to a blank string, and GitHub rejects the expression. What is the supported...

Two jobs in the same run both try to upload to an artifact named build-output by using upload-artifact v4. The second upload fails. Why?

A repository keeps saving caches under the same key, but updated dependencies do not replace the old cache, and some older caches later disappear afte...

A workflow is triggered by a Dependabot pull request. What credentials should the job expect?

A workflow tries to exchange GitHub identity for a cloud token by using OIDC, but the login action reports that no ID token is available. What permiss...

A workflow sets permissions so that issues is write and pull-requests is write. What happens to permissions that are not listed?