UHG/Optum GitHub Actions Compliance Policy
Corporate policy for allowed GitHub Actions sources in workflows
UHG/Optum GitHub Actions Compliance Policy
Corporate Policy
All GitHub Actions workflows in UHG/Optum repositories MUST only use actions from approved sources.
External actions are BLOCKED by GitHub Enterprise policy and will cause workflow failures.
Allowed Action Sources
1. Enterprise-Owned Repositories
Actions from internal organizations are always allowed:
uhg-internal/*- Internal organization actionsoptum-tech-compute/*- OHEMR organization actions
Examples:
uses: optum-tech-compute/ohemr-action-library/.github/workflows/semantic-release.yml@v5
uses: uhg-internal/epl-github-actions/some-action@v1
2. GitHub Official Actions
All actions in the actions/* namespace are allowed:
actions/checkout@v4actions/setup-node@v4actions/setup-python@v5actions/upload-artifact@v4actions/github-script@v7actions/[email protected]actions/stale@v10
3. Approved Vendor Patterns
Only the following external vendors are permitted:
Security & Testing
NeuraLegion/*- Bright Security scanningPaloAltoNetworks/prisma-cloud-scan@*- Cloud securitybridgecrewio/*- Infrastructure securitycheckmarx/*- SAST scanningaccelQ-Inc/accelq-ci-github-actions@*- Test automation
Cloud Providers
aws-actions/*- AWS integrationsazure/*- Azure integrations
Deployment & Automation
OctopusDeploy/*- Deployment automationdatabricks/*- Databricks integrations
Development Tools
adobe/*- Adobe integrationsandroid-actions/setup-android@*- Android tooling
Disallowed Actions (Common Examples)
The following are NOT ALLOWED and will fail:
❌ codecov/codecov-action - Code coverage reporting
❌ softprops/action-gh-release - GitHub release creation
❌ DavidAnson/markdownlint-cli2-action - Markdown linting
❌ docker/* - Docker actions (except approved patterns)
❌ sonarsource/* - SonarQube actions
❌ snyk/* - Snyk security scanning
Replacement Strategies
Strategy 1: Use Internal Alternatives
Check for reusable workflows in internal repositories:
# Search for reusable workflows
gh search repos --owner optum-tech-compute "actions"
gh search repos --owner uhg-internal "actions" "epl"
Example: Instead of external semantic-release action:
# ✅ ALLOWED: Use internal reusable workflow
jobs:
release:
uses: optum-tech-compute/ohemr-action-library/.github/workflows/semantic-release.yml@v5
secrets: inherit
Strategy 2: Run Tools Directly
Instead of using external actions, run CLI tools directly:
# ❌ NOT ALLOWED
- uses: DavidAnson/markdownlint-cli2-action@v16
# ✅ ALLOWED: Run tool directly
- name: Lint Markdown
run: |
npm install -g markdownlint-cli2
markdownlint-cli2 "**/*.md"
# ❌ NOT ALLOWED
- uses: softprops/action-gh-release@v2
# ✅ ALLOWED: Use gh CLI
- name: Create Release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh release create "${{ github.ref_name }}" \
--title "Release ${{ github.ref_name }}" \
--generate-notes
Strategy 3: Remove Non-Critical Features
If internal alternatives don't exist and direct execution isn't feasible, consider removing the feature:
# ❌ NOT ALLOWED
- uses: codecov/codecov-action@v4
# ✅ SOLUTION: Remove code coverage reporting to Codecov
# Consider internal alternatives:
# - Azure DevOps code coverage
# - GitHub Actions coverage comments
# - Self-hosted coverage reporting
Enforcement
Runtime Enforcement
GitHub Enterprise automatically blocks disallowed actions:
Error: The action codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238
is not allowed in optum-tech-compute/repository-name because all actions must be
from a repository owned by your enterprise, created by GitHub, or match one of
the patterns: [approved vendor list]
Pre-Commit Validation
Enable actionlint in pre-commit hooks:
# .pre-commit-config.yaml
repos:
- repo: https://github.com/rhysd/actionlint
rev: v1.7.4
hooks:
- id: actionlint
Configure actionlint policy in .github/actionlint.yaml (see otc-awesome-llm repo for template).
CI Validation
Enable actionlint in Super-Linter:
# .github/linters/super-linter.env
VALIDATE_GITHUB_ACTIONS=true
Configuration Files
actionlint Configuration
Create .github/actionlint.yaml:
# actionlint configuration for UHG/Optum GitHub Actions compliance
self-hosted-runner:
labels:
- nomad-epic-actions-runner
- prod-ctc2-uhg
- prod-elr2-uhg
# Note: actionlint doesn't enforce action restrictions at lint time
# Enforcement happens at runtime by GitHub Enterprise
# See this document for full policy
Pre-Commit Configuration
Add to .pre-commit-config.yaml:
repos:
- repo: https://github.com/rhysd/actionlint
rev: v1.7.4
hooks:
- id: actionlint
args: ['-ignore', 'SC2086', '-ignore', 'SC2129']
Reference Implementations
Working examples of compliant workflows:
-
optum-tech-compute/ohemr-action-library
- Reusable workflows for semantic release, linting, testing
- Uses only internal and GitHub official actions
- Template:
.github/workflows/reuseable-*.yml
-
optum-tech-compute/ohemr-epic-megadoc
- Production CI/CD pipeline
- Full integration testing
- Template:
.github/workflows/tfe-builder.yml
-
optum-tech-compute/otc-awesome-llm
- CI/CD with quality checks
- Template:
.github/workflows/ci.yml
Troubleshooting
Error: Action Not Allowed
Symptom: Workflow fails with "action ... is not allowed"
Solution:
- Check if action is from approved source (see "Allowed Action Sources" above)
- If not approved, use replacement strategy (see "Replacement Strategies" above)
- Search for internal alternative in
optum-tech-computeoruhg-internal - Run tool directly instead of using action
- Remove feature if not critical
How to Find Internal Alternatives
# Search optum-tech-compute repos
gh search repos --owner optum-tech-compute "semantic-release"
gh search repos --owner optum-tech-compute "actions"
# Search uhg-internal repos (requires VPN)
gh search repos --owner uhg-internal "epl"
gh search repos --owner uhg-internal "actions"
# List reusable workflows in ohemr-action-library
ls -la /path/to/ohemr-action-library/.github/workflows/reuseable-*.yml
Migrating Existing Workflows
Step 1: Identify disallowed actions
# Scan workflows for external actions
grep -r "uses:" .github/workflows/ | grep -v "actions/" | grep -v "optum-tech-compute/" | grep -v "uhg-internal/"
Step 2: For each disallowed action:
- Search for internal alternative
- Try running tool directly
- Remove if not critical
- Document in PR why replacement was needed
Step 3: Validate with actionlint
actionlint .github/workflows/*.yml
Step 4: Test workflow
- Create test branch
- Trigger workflow
- Verify all jobs pass
Summary
DO:
✅ Use actions from uhg-internal/*, optum-tech-compute/*
✅ Use GitHub official actions (actions/*)
✅ Use approved vendor patterns (see list above)
✅ Run CLI tools directly when action isn't available
✅ Check ohemr-action-library for reusable workflows
✅ Enable actionlint validation in pre-commit and CI
DON'T:
❌ Use unapproved external actions ❌ Try to bypass enterprise policy ❌ Assume "popular action" means "allowed action" ❌ Ignore actionlint warnings about actions
This is a MANDATORY enterprise security policy. Compliance is not optional.
Related Documentation
- Repository instructions:
claude.mdsection "5. Allowed GitHub Actions Sources" - Action library:
optum-tech-compute/ohemr-action-library - Workflow examples:
optum-tech-compute/ohemr-epic-megadoc - Pre-commit config:
.pre-commit-config.yaml - Actionlint config:
.github/actionlint.yaml
Policy Rationale
This policy exists to:
- Reduce supply chain risk - External actions could be compromised
- Ensure support - Internal teams can maintain and fix internal actions
- Audit compliance - Enterprise policy enables security auditing
- Consistent standards - Internal actions follow UHG security requirements
- Reduce dependencies - Fewer external dependencies = more stability
Questions or exceptions? Contact Epic Azure Admins team.
Related Assets
Super-Linter Troubleshooting Assistant
Diagnostic and resolution guide for GitHub Super-Linter failures including ENV ordering, ESLint errors, CodeQL security findings, and configuration issues.
Owner: epic-platform-sre
DevOps Core Principles
Foundational DevOps principles (CALMS) and key metrics (DORA) to guide effective software delivery.
Owner: epic-platform-sre
Generate Mermaid Deployment Flow Diagram
Creates deployment pipeline and workflow diagrams using Mermaid flowchart syntax with CI/CD focus
Owner: thudak
Super-Linter Configuration Generator
Generate and configure GitHub Super-Linter setup including workflow files, environment configuration, and pre-commit hooks for new or existing repositories.
Owner: epic-platform-sre
Analyze Testing Strategy Across Pipeline Stages
Comprehensive analysis of existing testing infrastructure mapped to pipeline stages (left-to-right), identifying gaps, overlaps, and optimization opportunities
Owner: thudak
Design Comprehensive Testing Pipeline
Design a testing pipeline with progressive filtering, clear stage boundaries, optimized feedback loops, and minimal overlap between stages
Owner: thudak

