github-actions-pipelineslisted

# GitHub Actions Pipelines ## When to invoke **Symptoms:** - `Not authorized to perform: sts:AssumeRoleWithWebIdentity` from a GitHub Actions job that's "supposed to use OIDC." - `Error: google-github-actions/auth failed with: failed to generate Google Cloud federated token`. - A required status check is stuck "Expected — Waiting for status to be reported" on PRs that touched unrelated paths. - Secrets are `null` / empty in a workflow triggered by a fork PR. - A reusable workflow can't see the caller's secrets. - Two deploys to the same environment race each other and the older one wins. - `actions/cache` reports a hit but the build still re-installs everything. - A workflow runs untrusted PR code with `pull_request_target` and has secrets — security audit needs a verdict. **The trap this prevents:** treating GitHub Actions as "just YAML." The privilege model, trigger semantics, and branch-protection interactions have non-obvious failure modes that look like "the action is broken" but are actually misconfiguration. ## Cross-cutting rules These apply to every section below. 1. **Pin third-party actions to a commit SHA, not a floating tag.** See [supply chain](#supply-chain) for the format. First-party `actions/*` / `aws-actions/*` / `google-github-actions/*` can use major-version tags; everything else pins by SHA. 2. **Default `permissions:` to least-privilege.** Add `permissions: contents: read` at the workflow root and elevate per-job only what's needed. A repo's "def