Security posture
When we reference a GitHub Action by tag (like @v4), that tag can be moved to point to different code. If someone compromises the action's repository, they could inject malicious code that runs in our workflows without us knowing.
Solution
GitHub recommends pinning actions to specific commit SHAs instead of tags. A commit SHA is immutable and it always points to the exact same code.
Instead of this:
- uses: actions/checkout@v4
We can do this:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
How to solve
Go through all workflows in .github/workflows/ and replace tag references with commit SHAs. Add version comments so we can tell what each SHA represents. Also, add Dependabot configuration.
Keeping things updated
Once we pin to SHAs, Dependabot can still help us stay current. It will create PRs when new versions are available, showing the SHA for the new version.
Security posture
When we reference a GitHub Action by tag (like
@v4), that tag can be moved to point to different code. If someone compromises the action's repository, they could inject malicious code that runs in our workflows without us knowing.Solution
GitHub recommends pinning actions to specific commit SHAs instead of tags. A commit SHA is immutable and it always points to the exact same code.
Instead of this:
We can do this:
How to solve
Go through all workflows in
.github/workflows/and replace tag references with commit SHAs. Add version comments so we can tell what each SHA represents. Also, add Dependabot configuration.Keeping things updated
Once we pin to SHAs, Dependabot can still help us stay current. It will create PRs when new versions are available, showing the SHA for the new version.