What is the main risk of using unpinned actions?

If an action maintainer's account is compromised, an attacker can update a tag (like @v1) to point to malicious code, which then executes with access to your repository secrets and cloud credentials.

How do I keep my pinned actions readable for humans?

The best practice is to include the semantic version as a comment on the same line as the SHA-pinned action reference, such as: uses: actions/checkout@b4ffde6... # v4.1.1.

Does SHA pinning prevent Dependabot from working?

No, Dependabot fully supports SHA pinning and can automatically create pull requests to update your hashes when new versions are released, allowing for a secure review process.

Why should I pin GitHub Actions to a SHA instead of a tag?

Tags are mutable and can be moved to malicious commits without notice, whereas SHA-256 hashes are immutable, ensuring you only run the exact, verified code you've audited.

GitHub Action SHA Pinning Guide

Name: GitHub Action SHA Pinning Guide
Author: adaptive-enforcement-lab

byadaptive-enforcement-lab

セキュリティとテスト

Secures CI/CD pipelines by enforcing immutable SHA-256 commit pinning for GitHub Actions to prevent supply chain attacks.

概要

This skill provides comprehensive guidance on securing GitHub Actions by replacing mutable tag references with immutable SHA-256 commit hashes. It helps developers understand the critical risks associated with unpinned actions—such as account compromise and tag mutation—while offering practical implementation patterns for hardening supply chains, configuring Dependabot for secure updates, and establishing organizational security policies to protect sensitive credentials and secrets.

主な機能

Supply chain attack vector analysis
Dependabot configuration for SHA updates
Organization-level security allowlisting strategies
Tag vs. SHA-256 comparison framework
Secure CI/CD implementation patterns
0 GitHub stars

ユースケース

Hardening production deployment workflows against malicious updates
Auditing existing GitHub Action files for security vulnerabilities
Setting up automated, secure dependency updates for CI/CD pipelines

概要

主な機能

Supply chain attack vector analysis
Dependabot configuration for SHA updates
Organization-level security allowlisting strategies
Tag vs. SHA-256 comparison framework
Secure CI/CD implementation patterns
0 GitHub stars

ユースケース

Hardening production deployment workflows against malicious updates
Auditing existing GitHub Action files for security vulnerabilities
Setting up automated, secure dependency updates for CI/CD pipelines