GitHub's action restrictions are recursive - they check not only the action you call, but also every action used internally.
If your workflow uses:
uses: compose-network/github-actions/actions/local-testnet@v0.2.0And that action internally uses:
uses: actions/checkout@v4 uses: actions/setup-go@v6 uses: docker/setup-buildx-action@v3GitHub will block them if you set:
Allowed actions: compose-network/github-actions@* You cannot wrap external actions to bypass security restrictions - this is by design.
Replace ALL external actions with native shell commands:
| External Action | Replaced With |
|---|---|
actions/checkout@v4 | Native git clone |
actions/setup-go@v6 | Direct download from go.dev |
docker/setup-buildx-action@v3 | Native docker buildx commands |
Now you can set the strictest restrictions and it works!
Repository URLs are hardcoded in the actions and cannot be overridden:
# In actions/local-testnet/action.yml --publisher-url=https://github.com/compose-network/publisher.git --op-geth-url=https://github.com/compose-network/op-geth.gitUsers can only specify branch names:
with: publisher-branch: 'my-branch' # ✅ Allowed publisher-url: 'https://...' # ❌ Not possiblePrevents: Attackers from cloning malicious repositories.
All actions use only native commands:
bash,git,curl,wget,docker,jq
No third-party GitHub Actions are used.
Prevents:
- Supply chain attacks through compromised actions
- Automatic updates breaking your workflows
- External action dependencies being removed
Configure repositories to only allow tagged versions:
Settings → Actions → General → Allowed actions: compose-network/github-actions@* Then in runner group:
Workflow access: Selected workflows → owner/repo/.github/workflows/*.yml@refs/tags/* Prevents:
- Workflows running from untested branches
- Automatic updates to actions
- Code injection via branch manipulation
Settings → Actions → General → Actions permissions → Allow select actions and reusable workflows → Allowed actions: compose-network/github-actions@* This restricts the repository to ONLY use actions from compose-network/github-actions.
Settings → Actions → Runner groups → public-isolated Repository access: Selected repositories → compose-network/publisher → compose-network/op-geth Workflow access: Selected workflows → compose-network/publisher/.github/workflows/*.yml@refs/tags/* → compose-network/op-geth/.github/workflows/*.yml@refs/tags/* This ensures:
- Only specific repositories can use the runner
- Only specific workflow files can run
- Only tagged releases (not branches) can trigger workflows
With this configuration, malicious actors cannot:
❌ Use actions/checkout to clone their own malicious repository ❌ Use any external third-party actions ❌ Override repository URLs to point to malicious code ❌ Run workflows from branches (only tags allowed) ❌ Create new unauthorized workflow files ❌ Use the runner from unauthorized repositories
Attack: PR contributor tries to checkout their malicious repo
- uses: actions/checkout@v4 with: repository: attacker/malicious-codeBlocked by: actions/checkout not in allowed actions list
Attack: Try to override repository URLs
- uses: compose-network/github-actions/actions/local-testnet@v0.2.0 with: publisher-url: 'https://github.com/attacker/publisher.git'Blocked by: Input doesn't exist - URLs are hardcoded
Attack: Modify code in main branch to inject malicious code Blocked by: Workflows can only run from @refs/tags/*, not branches
Attack: actions/checkout@v4 gets compromised by attackers Blocked by: We don't use external actions - only native commands
✅ Maximum security - zero external dependencies ✅ No supply chain risk ✅ Fully auditable code ✅ Works with strictest restrictions
Step 1: Repository Settings
compose-network/github-actions@* Step 2: Runner Group
Workflows: *.yml@refs/tags/* Step 3: Workflow File
uses: compose-network/github-actions/actions/local-testnet@v0.2.0This gives you maximum security with minimal complexity.