Skip to content

UHG/Optum GitHub Actions Compliance Policy

Corporate policy for allowed GitHub Actions sources in workflows

active
IDE:
claude
codex
vscode
Version:
1.0.0
Owner:thudak
github-actions
security
compliance
devops
ci-cd
policy

UHG/Optum GitHub Actions Compliance Policy

Corporate Policy

All GitHub Actions workflows in UHG/Optum repositories MUST only use actions from approved sources.

External actions are BLOCKED by GitHub Enterprise policy and will cause workflow failures.

Allowed Action Sources

1. Enterprise-Owned Repositories

Actions from internal organizations are always allowed:

  • uhg-internal/* - Internal organization actions
  • optum-tech-compute/* - OHEMR organization actions

Examples:

uses: optum-tech-compute/ohemr-action-library/.github/workflows/semantic-release.yml@v5
uses: uhg-internal/epl-github-actions/some-action@v1

2. GitHub Official Actions

All actions in the actions/* namespace are allowed:

  • actions/checkout@v4
  • actions/setup-node@v4
  • actions/setup-python@v5
  • actions/upload-artifact@v4
  • actions/github-script@v7
  • actions/[email protected]
  • actions/stale@v10

3. Approved Vendor Patterns

Only the following external vendors are permitted:

Security & Testing

  • NeuraLegion/* - Bright Security scanning
  • PaloAltoNetworks/prisma-cloud-scan@* - Cloud security
  • bridgecrewio/* - Infrastructure security
  • checkmarx/* - SAST scanning
  • accelQ-Inc/accelq-ci-github-actions@* - Test automation

Cloud Providers

  • aws-actions/* - AWS integrations
  • azure/* - Azure integrations

Deployment & Automation

  • OctopusDeploy/* - Deployment automation
  • databricks/* - Databricks integrations

Development Tools

  • adobe/* - Adobe integrations
  • android-actions/setup-android@* - Android tooling

Disallowed Actions (Common Examples)

The following are NOT ALLOWED and will fail:

codecov/codecov-action - Code coverage reporting ❌ softprops/action-gh-release - GitHub release creation ❌ DavidAnson/markdownlint-cli2-action - Markdown linting ❌ docker/* - Docker actions (except approved patterns) ❌ sonarsource/* - SonarQube actions ❌ snyk/* - Snyk security scanning

Replacement Strategies

Strategy 1: Use Internal Alternatives

Check for reusable workflows in internal repositories:

# Search for reusable workflows
gh search repos --owner optum-tech-compute "actions"
gh search repos --owner uhg-internal "actions" "epl"

Example: Instead of external semantic-release action:

# ✅ ALLOWED: Use internal reusable workflow
jobs:
  release:
    uses: optum-tech-compute/ohemr-action-library/.github/workflows/semantic-release.yml@v5
    secrets: inherit

Strategy 2: Run Tools Directly

Instead of using external actions, run CLI tools directly:

# ❌ NOT ALLOWED
- uses: DavidAnson/markdownlint-cli2-action@v16

# ✅ ALLOWED: Run tool directly
- name: Lint Markdown
  run: |
    npm install -g markdownlint-cli2
    markdownlint-cli2 "**/*.md"
# ❌ NOT ALLOWED
- uses: softprops/action-gh-release@v2

# ✅ ALLOWED: Use gh CLI
- name: Create Release
  env:
    GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  run: |
    gh release create "${{ github.ref_name }}" \
      --title "Release ${{ github.ref_name }}" \
      --generate-notes

Strategy 3: Remove Non-Critical Features

If internal alternatives don't exist and direct execution isn't feasible, consider removing the feature:

# ❌ NOT ALLOWED
- uses: codecov/codecov-action@v4
# ✅ SOLUTION: Remove code coverage reporting to Codecov
# Consider internal alternatives:
# - Azure DevOps code coverage
# - GitHub Actions coverage comments
# - Self-hosted coverage reporting

Enforcement

Runtime Enforcement

GitHub Enterprise automatically blocks disallowed actions:

Error: The action codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238
is not allowed in optum-tech-compute/repository-name because all actions must be
from a repository owned by your enterprise, created by GitHub, or match one of
the patterns: [approved vendor list]

Pre-Commit Validation

Enable actionlint in pre-commit hooks:

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/rhysd/actionlint
    rev: v1.7.4
    hooks:
      - id: actionlint

Configure actionlint policy in .github/actionlint.yaml (see otc-awesome-llm repo for template).

CI Validation

Enable actionlint in Super-Linter:

# .github/linters/super-linter.env
VALIDATE_GITHUB_ACTIONS=true

Configuration Files

actionlint Configuration

Create .github/actionlint.yaml:

# actionlint configuration for UHG/Optum GitHub Actions compliance

self-hosted-runner:
  labels:
    - nomad-epic-actions-runner
    - prod-ctc2-uhg
    - prod-elr2-uhg

# Note: actionlint doesn't enforce action restrictions at lint time
# Enforcement happens at runtime by GitHub Enterprise
# See this document for full policy

Pre-Commit Configuration

Add to .pre-commit-config.yaml:

repos:
  - repo: https://github.com/rhysd/actionlint
    rev: v1.7.4
    hooks:
      - id: actionlint
        args: ['-ignore', 'SC2086', '-ignore', 'SC2129']

Reference Implementations

Working examples of compliant workflows:

  1. optum-tech-compute/ohemr-action-library

    • Reusable workflows for semantic release, linting, testing
    • Uses only internal and GitHub official actions
    • Template: .github/workflows/reuseable-*.yml
  2. optum-tech-compute/ohemr-epic-megadoc

    • Production CI/CD pipeline
    • Full integration testing
    • Template: .github/workflows/tfe-builder.yml
  3. optum-tech-compute/otc-awesome-llm

    • CI/CD with quality checks
    • Template: .github/workflows/ci.yml

Troubleshooting

Error: Action Not Allowed

Symptom: Workflow fails with "action ... is not allowed"

Solution:

  1. Check if action is from approved source (see "Allowed Action Sources" above)
  2. If not approved, use replacement strategy (see "Replacement Strategies" above)
  3. Search for internal alternative in optum-tech-compute or uhg-internal
  4. Run tool directly instead of using action
  5. Remove feature if not critical

How to Find Internal Alternatives

# Search optum-tech-compute repos
gh search repos --owner optum-tech-compute "semantic-release"
gh search repos --owner optum-tech-compute "actions"

# Search uhg-internal repos (requires VPN)
gh search repos --owner uhg-internal "epl"
gh search repos --owner uhg-internal "actions"

# List reusable workflows in ohemr-action-library
ls -la /path/to/ohemr-action-library/.github/workflows/reuseable-*.yml

Migrating Existing Workflows

Step 1: Identify disallowed actions

# Scan workflows for external actions
grep -r "uses:" .github/workflows/ | grep -v "actions/" | grep -v "optum-tech-compute/" | grep -v "uhg-internal/"

Step 2: For each disallowed action:

  1. Search for internal alternative
  2. Try running tool directly
  3. Remove if not critical
  4. Document in PR why replacement was needed

Step 3: Validate with actionlint

actionlint .github/workflows/*.yml

Step 4: Test workflow

  • Create test branch
  • Trigger workflow
  • Verify all jobs pass

Summary

DO:

✅ Use actions from uhg-internal/*, optum-tech-compute/* ✅ Use GitHub official actions (actions/*) ✅ Use approved vendor patterns (see list above) ✅ Run CLI tools directly when action isn't available ✅ Check ohemr-action-library for reusable workflows ✅ Enable actionlint validation in pre-commit and CI

DON'T:

❌ Use unapproved external actions ❌ Try to bypass enterprise policy ❌ Assume "popular action" means "allowed action" ❌ Ignore actionlint warnings about actions

This is a MANDATORY enterprise security policy. Compliance is not optional.

Related Documentation

  • Repository instructions: claude.md section "5. Allowed GitHub Actions Sources"
  • Action library: optum-tech-compute/ohemr-action-library
  • Workflow examples: optum-tech-compute/ohemr-epic-megadoc
  • Pre-commit config: .pre-commit-config.yaml
  • Actionlint config: .github/actionlint.yaml

Policy Rationale

This policy exists to:

  1. Reduce supply chain risk - External actions could be compromised
  2. Ensure support - Internal teams can maintain and fix internal actions
  3. Audit compliance - Enterprise policy enables security auditing
  4. Consistent standards - Internal actions follow UHG security requirements
  5. Reduce dependencies - Fewer external dependencies = more stability

Questions or exceptions? Contact Epic Azure Admins team.

Related Assets

Super-Linter Troubleshooting Assistant

active

Diagnostic and resolution guide for GitHub Super-Linter failures including ENV ordering, ESLint errors, CodeQL security findings, and configuration issues.

claude
codex
vscode
super-linter
github-actions
ci-cd
linting
code-quality
+2

Owner: epic-platform-sre

DevOps Core Principles

experimental

Foundational DevOps principles (CALMS) and key metrics (DORA) to guide effective software delivery.

claude
codex
vscode
devops
calms
dora
ci-cd
culture
+5

Owner: epic-platform-sre

Generate Mermaid Deployment Flow Diagram

active

Creates deployment pipeline and workflow diagrams using Mermaid flowchart syntax with CI/CD focus

claude
codex
vscode
documentation
diagramming
mermaid
deployment
cicd
+4

Owner: thudak

Super-Linter Configuration Generator

active

Generate and configure GitHub Super-Linter setup including workflow files, environment configuration, and pre-commit hooks for new or existing repositories.

claude
codex
vscode
super-linter
github-actions
ci-cd
configuration
code-quality
+1

Owner: epic-platform-sre

Analyze Testing Strategy Across Pipeline Stages

active

Comprehensive analysis of existing testing infrastructure mapped to pipeline stages (left-to-right), identifying gaps, overlaps, and optimization opportunities

claude
codex
vscode
testing
ci-cd
quality
devops
pipeline
+1

Owner: thudak

Design Comprehensive Testing Pipeline

active

Design a testing pipeline with progressive filtering, clear stage boundaries, optimized feedback loops, and minimal overlap between stages

claude
codex
vscode
testing
ci-cd
pipeline
architecture
devops
+1

Owner: thudak