Skip to content

Pin GitHub Actions to commit SHAs#693

Merged
jesserockz merged 1 commit intomainfrom
pin-action-shas
Apr 13, 2026
Merged

Pin GitHub Actions to commit SHAs#693
jesserockz merged 1 commit intomainfrom
pin-action-shas

Conversation

@jesserockz
Copy link
Copy Markdown
Member

@jesserockz jesserockz commented Apr 13, 2026

Summary

Pin all GitHub Action and reusable workflow references to their full commit SHAs
instead of mutable tags or branch names.

Closes #692

Why?

Referencing actions by tag (e.g., actions/checkout@v4) is convenient but
carries a supply-chain risk: tags are mutable and can be force-pushed to point
at arbitrary commits. If an action's tag is compromised, every workflow that
references it by tag will silently run the attacker's code.

Pinning to a full 40-character commit SHA (e.g.,
actions/checkout@11bd719...) makes the reference immutable. Even if a tag is
tampered with, workflows pinned to a SHA will continue to use the exact code
that was reviewed and trusted.

A version comment is included next to each SHA for readability
(e.g., actions/checkout@11bd719... # v4.2.2).

References

@jesserockz
Pin GitHub Actions to commit SHAs
24bd765 
Replace mutable tag references with immutable commit SHAs
to prevent supply-chain attacks via compromised tags.
Version comments are preserved for readability.
@jesserockz jesserockz merged commit 8e0d42e into main Apr 13, 2026
1 check passed
@jesserockz jesserockz deleted the pin-action-shas branch April 13, 2026 09:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Pin GitHub Actions to commit SHAs

1 participant

@jesserockz