Skip to content

ci: pin GitHub Actions to commit SHAs (supply-chain hardening)#3231

Closed
Fabridev444 wants to merge 1 commit into
DNSCrypt:masterfrom
Fabridev444:sec/pin-actions-to-sha
Closed

ci: pin GitHub Actions to commit SHAs (supply-chain hardening)#3231
Fabridev444 wants to merge 1 commit into
DNSCrypt:masterfrom
Fabridev444:sec/pin-actions-to-sha

Conversation

@Fabridev444
Copy link
Copy Markdown

@Fabridev444 Fabridev444 commented May 26, 2026

What

Pins all 11 unpinned GitHub Actions references across autocloser.yml, codeql-analysis.yml, and releases.yml to immutable commit SHAs, keeping the original semver tag as an inline # v6 comment for Dependabot compatibility.

Example diff:

-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac26b4e3d6d5d3a5ad99b6d9be9d8c66cbd2 # v6

Why

Tags like @v4 or @v6 are mutable — anyone with push access to the action's repo can rewrite them. The tj-actions/changed-files CVE-2025-30066 was a maintainer-token compromise that quietly modified existing tags to exfiltrate secrets from thousands of consumers. Commit SHAs cannot be rewritten without a force-push that breaks every downstream — so they're audit-traceable and reproducible.

Recommended by:

How

Generated mechanically with gha-shield v1.0.6:

npx Fabridev444/gha-shield .github/workflows --fix

It resolves each <owner>/<repo>@<tag> via the GitHub commits API and rewrites the file. Original tags are preserved in # v6 trailing comments — Dependabot's commit-message handler reads those and bumps SHAs on every new release. No extra config needed; your existing .github/dependabot.yml already covers github-actions ecosystem.

Compatibility

  • ✅ Idempotent — re-running does nothing once pinned.
  • ✅ Dependabot keeps the comments and updates SHAs automatically.
  • ✅ All workflow triggers preserved.
  • ⚠️ actions/setup-go@v6 and actions/checkout@v6 look unusual (latest released v5/v4 at scan time); this PR pins whatever commit the existing @v6 tag currently resolves to, no version change.

Verify

git fetch origin pull/<PR#>/head:pin-actions
git checkout pin-actions
# Optional: re-scan
npx Fabridev444/gha-shield .github/workflows

gha-shield is MIT-licensed and self-hosted (npx Fabridev444/gha-shield resolves directly from this GitHub repo, no npm publish needed). Happy to drop a Solana tip in the FUNDING.yml if useful: 634UtV9dWq8G7ciosqx1pcKkBK4kNkNod9yvoM8ujSdM

@Fabridev444
ci: pin all GitHub Actions to commit SHAs (supply-chain hardening)
db84e0d 
Pins 11 unpinned action references across autocloser.yml, codeql-analysis.yml,
and releases.yml to immutable commit SHAs, keeping the original semver tag
as inline comment for Dependabot compatibility.

Why: tags like `@v6` or `@v4` are mutable; an attacker who compromises a
maintainer account (cf. tj-actions/changed-files CVE-2025-30066) can rewrite
the tag silently. Commit SHAs cannot be rewritten without rebasing your repo.

Dependabot will still auto-bump these comments + SHAs on new releases when
the existing dependabot.yml config picks them up — no extra config needed.

Generated by https://github.com/Fabridev444/gha-shield v1.0.6 via:
  npx Fabridev444/gha-shield .github/workflows --fix
This was referenced May 26, 2026
Open
Open
@jedisct1 jedisct1 added the ai Ai generated label May 26, 2026
@jedisct1 jedisct1 closed this May 26, 2026
@jedisct1
Copy link
Copy Markdown
Member

jedisct1 commented May 26, 2026

We'll add zizmor.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ai Ai generated

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Fabridev444 @jedisct1