Skip to content

GitHub Script action not pinned to a full-length commit SHA #169

New issue
New issue
Open
Open
GitHub Script action not pinned to a full-length commit SHA#169
@dwenzel-infrest

Description

@dwenzel-infrest
dwenzel-infrest
opened on Mar 18, 2026

The accessibility-scanner workflow uses actions/github-script@v8 without pinning it to a specific commit SHA. This violates security best practices and causes the pipeline to fail when the Require actions to be pinned to a full-length commit SHA setting is enabled.

Steps to Reproduce

  1. Enable Require actions to be pinned to a full-length commit SHA in the repository settings.
  2. Run the accessibility-scanner workflow.
  3. Observe the failure caused by the unpinned actions/github-script action.

Expected Behavior

The workflow should run successfully with all actions pinned to full-length commit SHAs.

Actual Behavior

The workflow fails because actions/github-script@v8 is not pinned to a commit SHA.

accessibility-scanner/action.yml

Line 137 in db51bb5

uses: actions/github-script@v8

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions