Pin all GitHub Actions to SHA-based references#19318
Open
brendandburns wants to merge 1 commit intoAzure:mainfrom
Open
Pin all GitHub Actions to SHA-based references#19318brendandburns wants to merge 1 commit intoAzure:mainfrom
brendandburns wants to merge 1 commit intoAzure:mainfrom
Conversation
Switch all GitHub Actions from mutable tag references to immutable SHA-pinned references to prevent supply chain attacks via tag hijacking.
shenglol
reviewed
Apr 2, 2026
|
|
||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 |
Contributor
There was a problem hiding this comment.
Might be worth adding a comment explaining the rationale behind this change?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Switches all GitHub Actions workflow references from mutable tag-based references (e.g.
actions/checkout@v6) to immutable SHA-pinned references (e.g.actions/checkout@de0fac2e... # v6), with the original tag preserved as a trailing comment for readability.Motivation
Using mutable tags in GitHub Actions workflows is a supply chain security risk. Tags are Git refs that can be force-pushed by repository owners (or attackers who compromise an action's repository), meaning a tag like
v6can be silently repointed to arbitrary code at any time. This enables a class of attack where a compromised or malicious action version is injected into CI/CD pipelines without any visible change to the consuming workflow files.This is not a theoretical risk. In the LiteLLM security incident, attackers exploited mutable tag references to the
aquasecurity/trivy-actionGitHub Action. A compromised version of the action was published under the same tag, which caused CI/CD pipelines that referenced it by tag to silently execute malicious code — exfiltrating secrets and environment variables from every repository that used the action.Pinning to commit SHAs makes workflow references immutable and tamper-proof. Even if an upstream action repository is compromised and tags are repointed, SHA-pinned references will continue to resolve to the originally audited code.
This change follows the security policy recommended by the Kubernetes GitHub Actions Policy and GitHub's own security hardening guidance.
Changes
All 12 workflow files under
.github/workflows/have been updated. Everyuses:directive now references a full 40-character commit SHA with the original version tag preserved as a comment. No functional changes — all SHAs resolve to the same code as the previously referenced tags.Microsoft Reviewers: Open in CodeFlow