docs: add GitHub Actions Security Cheat Sheet

[AlexB1986]

This PR adds GitHub Actions Security Cheat Sheet.

Checklist:

• In case of a new Cheat Sheet, you have used the Cheat Sheet template.
• All the markdown files do not raise any validation policy violation, see the policy.
• All the markdown files follow these format rules.
• All your assets are stored in the assets folder.
• All the images used are in the PNG format.
• Any references to websites have been formatted as [TEXT](URL)
• You verified/tested the effectiveness of your contribution (e.g., the defensive code proposed is really an effective remediation? Please verify it works!).
• The CI build of your PR pass, see the build status here.

AI Tool Usage Disclosure

• I have NOT used any AI tool to generate the contents of this PR.
• I have used AI tools to generate the contents of this PR. I have verified
  the contents and I affirm the results. The LLM used is [llm name and version]
  and the prompt used is [your prompt here]. [Feel free to add more details if needed]

LLM (Claude Haiku 4.5) has been used for proofreading.

This PR fixes issue #1306 .

[AlexB1986]

Rendered markdown is available https://github.com/AlexB1986/CheatSheetSeries/blob/master/cheatsheets/GitHub_Actions_Security_Cheat_Sheet.md

[Copilot]

Pull request overview

Adds a new “GitHub Actions Security Cheat Sheet” to the OWASP Cheat Sheet Series to provide practical guidance on hardening GitHub Actions workflows against common CI/CD attack paths (secrets exfiltration, token misuse, cache poisoning, cost abuse).

Changes:

• Introduces a new cheat sheet with threat-focused intro and prioritized recommendations.
• Provides an annotated GitHub Actions workflow example covering triggers, permissions, pinning actions, secrets handling, and deployments.
• Adds a references section linking to GitHub Security Lab articles and cache poisoning research.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This PR adds a new cheat sheet file, which changes the generated cheat sheet index. Please regenerate and include the updated root Index.md (generated by scripts/Update_CheatSheets_Index.py) so the new cheat sheet is discoverable from the index.

[jmanico]

I like this work but it's going to require an extensive review. Please be patient with us.

[AlexB1986]

Thanks, I am going to split "4. Write Secure GitHub Workflows" into subsections with smaller code snippets.
Would you be able to do an initial review before the update, or would you prefer that I ping you after the changes have been introduced?
@jmanico @mackowski

[jmanico]

Alex, I'm nervous about too many code snippets since these are in a security context. Maybe reduce those and focus on good architectural guidance?

[konstruktoid]

nice write-up, one thing i was missing was a mention about using add-mask (https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-commands#masking-a-value-in-a-log) to eg. masking set environmental variables.

will you expand on self-hosted runners? I agree it can be an issue on GitHub.com but a lesser so when using on-prem GHE.
thinking about runner grouping, container settings and such.

[konstruktoid]

"a static code analyzer shall report such issues"
are you referring to zizmor or are there any additional recommendations?

[AlexB1986]

Zizmor and CodeQL which also has a dedicated rules for GitHub Actions and freely available for open-source public repositories.
Added details.

[AlexB1986]

Hello! This PR is ready for review. Could you please take a look when you have a moment? Thank you! @jmanico @mackowski

[mackowski]

Looks good!