The purpose of this policy is to establish mandatory security requirements while using GitHub Actions in workflow files across all repositories under all Kubernetes github organizations.
All GitHub Actions MUST be referenced using commit SHA hashes.
# REQUIRED - Pin to commit SHA
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
# PROHIBITED - Mutable references
uses: actions/checkout@v4 # Tags can be force-pushed
uses: actions/checkout@main # Branches move
uses: actions/checkout@master # Branches move
uses: actions/checkout@latest # Undefined referenceMutable references such as latest, tags, branches (like master, main), can be force-updated to point to different commits. An attacker who compromises an action's repository can inject malicious code by modifying what these references point to, creating supply chain vulnerabilities.
Commit SHA hashes are cryptographically immutable and cannot be changed, preventing such attacks.
Recent incidents demonstrate the risks of mutable references:
- https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23
- Discussion: https://kubernetes.slack.com/archives/CD6LAC15M/p1774101470025069
Additional context:
- All
uses:statements in workflow files MUST reference actions using 40-character commit SHA hashes - New workflows MUST comply before merge
- Existing workflows MUST be updated to comply
- Repositories SHOULD enable Dependabot for GitHub Actions to automatically update SHA-pinned actions to newer versions
- Dependabot supports updating SHA-pinned actions that aligns with the policy
- See Dependabot configuration file reference for setup details