ci(security): pin GitHub Actions to full commit SHAs#35
Open
dmchaledev wants to merge 1 commit into
Open
Conversation
Pin actions/checkout and actions/setup-node to immutable commit SHAs (with the resolved version in a trailing comment) across all three workflows instead of the mutable `@v4` major tag. Mutable tags can be force-moved by a compromised or hijacked action maintainer to point at malicious code. The publish workflow runs with `id-token: write` and holds `NPM_PUBLISH_TOKEN`, so a moved tag there could exfiltrate the npm token or publish a backdoored release under this package's name. Pinning to a SHA makes every workflow run use exactly the audited code. This is the OpenSSF Scorecard "Pinned-Dependencies" recommendation and appropriate dogfooding for a supply-chain security tool. Dependabot's github-actions ecosystem understands the `@<sha> # <version>` format and keeps the pins current, so this composes with automated updates rather than freezing the versions. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01QvQQy7fpkxLaR1idLHgX2e
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Pin the third-party GitHub Actions used in all three workflows to immutable full commit SHAs (with the resolved version in a trailing comment) instead of the mutable
@v4major tag:actions/checkout@v4@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1actions/setup-node@v4@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0Touched:
.github/workflows/ci.yml,.github/workflows/publish.yml,.github/workflows/auto-tag.yml. Sixuses:references in total. No workflow logic changes.Why
A
@v4tag is a mutable pointer — the action's maintainer (or anyone who compromises their account) can force-move it to point at arbitrary code, and every consumer picks that up on the next run with no diff to review. This is the classic CI supply-chain vector (e.g. thetj-actions/changed-filescompromise).That risk is most acute in
publish.yml, which runs withpermissions: id-token: writeand injectsNPM_PUBLISH_TOKEN. A moved tag oncheckoutorsetup-nodethere could exfiltrate the npm token or publish a backdoored release under this package's own name. Pinning to a SHA guarantees every run executes exactly the code that was audited when the pin was set.For a package that exists to track supply-chain integrity, hardening its own supply chain is appropriate dogfooding. It's also the OpenSSF Scorecard Pinned-Dependencies recommendation and GitHub's documented hardening guidance.
Not a duplicate / composes with #34
None of the open PRs pin actions to SHAs. #34 adds a Dependabot config but deliberately keeps the floating
@v4tags and relies on Dependabot to bump the major tag — which still leaves a mutable pointer between Dependabot runs. This change is complementary: Dependabot'sgithub-actionsecosystem understands the@<sha> # <version>format and updates both the SHA and the comment, so pinning does not freeze the versions — it just makes each pin immutable until an update is reviewed and merged.Verification
git ls-remote --tags) —v4.3.1forcheckout,v4.4.0forsetup-node(latestv4.xat time of writing).ci.ymlruns on this PR, exercising the newcheckout/setup-nodepins directly.🤖 Generated with Claude Code
https://claude.ai/code/session_01QvQQy7fpkxLaR1idLHgX2e
Generated by Claude Code