Summary
Every third-party action is pinned by tag rather than commit SHA. A tag retag on goreleaser/goreleaser-action, actions/attest-build-provenance, contributor-assistant/github-action, dependabot/fetch-metadata, DavidAnson/markdownlint-cli2-action, or golangci/golangci-lint-action runs hostile code inside workflows that hold contents: write, attestations: write, id-token: write — the attestation will sign the hostile payload.
First-party actions/* stay tag-pinned (GitHub signs them).
Scope
Replace every non-actions/* uses: with a full commit SHA + # vX.Y.Z comment. Dependabot handles bumps.
Acceptance criteria
grep -nE '^\s*uses:\s+(?!actions/)' .github/workflows/*.yml shows only @[0-9a-f]{40} refs.- Each SHA line has a trailing
# vX.Y.Z comment.
- CI + release workflow dispatch green after the repin.
Source: security-reviewer + devops agents, post-v1.0.0 review.
Summary
Every third-party action is pinned by tag rather than commit SHA. A tag retag on
goreleaser/goreleaser-action,actions/attest-build-provenance,contributor-assistant/github-action,dependabot/fetch-metadata,DavidAnson/markdownlint-cli2-action, orgolangci/golangci-lint-actionruns hostile code inside workflows that holdcontents: write,attestations: write,id-token: write— the attestation will sign the hostile payload.First-party
actions/*stay tag-pinned (GitHub signs them).Scope
Replace every non-
actions/*uses:with a full commit SHA +# vX.Y.Zcomment. Dependabot handles bumps.Acceptance criteria
grep -nE '^\s*uses:\s+(?!actions/)' .github/workflows/*.ymlshows only@[0-9a-f]{40}refs.# vX.Y.Zcomment.Source: security-reviewer + devops agents, post-v1.0.0 review.