Skip to content

Pin GitHub Actions to commit SHAs#343

Merged
jesserockz merged 1 commit intomainfrom
pin-action-shas
Apr 13, 2026
Merged

Pin GitHub Actions to commit SHAs#343
jesserockz merged 1 commit intomainfrom
pin-action-shas

Conversation

@jesserockz
Copy link
Copy Markdown
Member

@jesserockz jesserockz commented Apr 13, 2026

Summary

Pin all GitHub Action and reusable workflow references to their full commit SHAs
instead of mutable tags or branch names.

Closes #342

Why?

Referencing actions by tag (e.g., actions/checkout@v4) is convenient but
carries a supply-chain risk: tags are mutable and can be force-pushed to point
at arbitrary commits. If an action's tag is compromised, every workflow that
references it by tag will silently run the attacker's code.

Pinning to a full 40-character commit SHA (e.g.,
actions/checkout@11bd719...) makes the reference immutable. Even if a tag is
tampered with, workflows pinned to a SHA will continue to use the exact code
that was reviewed and trusted.

A version comment is included next to each SHA for readability
(e.g., actions/checkout@11bd719... # v4.2.2).

References

@jesserockz
Pin GitHub Actions to commit SHAs
d0b51bd 
Replace mutable tag references with immutable commit SHAs
to prevent supply-chain attacks via compromised tags.
Version comments are preserved for readability.
@jesserockz jesserockz merged commit b86c449 into main Apr 13, 2026
21 checks passed
@jesserockz jesserockz deleted the pin-action-shas branch April 13, 2026 08:59
@github-actions github-actions Bot locked and limited conversation to collaborators Apr 14, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Pin GitHub Actions to commit SHAs

1 participant

@jesserockz