Skip to content

No-op - Pinning github actions to commit SHAs#491

Merged
alex-page merged 2 commits into
mainfrom
kaiyi-pin-shas
Apr 27, 2026
Merged

No-op - Pinning github actions to commit SHAs#491
alex-page merged 2 commits into
mainfrom
kaiyi-pin-shas

Conversation

@kyli

@kyli kyli commented Apr 27, 2026

Copy link
Copy Markdown
Contributor

Why?

By using some-org/some-action@v3 you are trusting a mutable tag. If the upstream repo is compromised, a force-pushed v3 ships malicious code into your workflow on the next run — see tj-actions/changed-files (March 2025) for recent real-world cases that leaked secrets across thousands of downstream workflows.

Pinning to a full 40-char SHA (uses: tj-actions/changed-files@<sha> # v45.0.3) makes the reference immutable and helps to mitigate this type of supply chain attacks.

cc @alex-page for review.

@kyli
kyli requested a review from alex-page April 27, 2026 19:07
@alex-page
alex-page merged commit aad58d9 into main Apr 27, 2026
4 checks passed
@alex-page
alex-page deleted the kaiyi-pin-shas branch April 27, 2026 20:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants