Pin GitHub Actions to SHA and add enforcement#4584
Merged
Conversation
Pin all GitHub Actions to their full commit SHA for improved security, following supply chain security best practices. This prevents unexpected changes from compromised or modified action tags. Changes: - Pin all actions across 10 workflow files to specific commit SHAs - Update all actions to their latest patch versions for consistency - Add new workflow (ensure-sha-pinned-actions.yml) that fails CI if unpinned actions are introduced - Add Makefile target (validate-gh-actions) for local validation - Integrate validation into validate-go-action CI target Action versions updated: - actions/checkout: v6.0.2 - actions/setup-go: v6.2.0 - actions/setup-node: v6.2.0 - step-security/harden-runner: v2.14.1 - coverallsapp/github-action: v2.3.6 - golangci/golangci-lint-action: v9.2.0 - softprops/action-gh-release: v2.5.0 - oxsecurity/megalinter: v9.3.0 - github/codeql-action: v4 (latest) Dependabot is already configured to keep pinned actions updated weekly.
tuxerrante
requested review from
bennerv,
cadenmarchese,
hawkowl,
hlipsig,
jharrington22,
kimorris27,
mociarain,
mrWinston,
rogbas,
sankur-codes,
tiguelu,
tsatam,
wanghaoran1988 and
yjst2012
as code owners
komidore64
reviewed
Feb 3, 2026
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
|
|
||
| - name: Ensure SHA pinned actions | ||
| uses: zgosalvez/github-actions-ensure-sha-pinned-actions@6124774845927d14c601359ab8138699fa5b70c3 # v4.0.1 |
Collaborator
There was a problem hiding this comment.
Considering that security is the goal of the pull request, has this GH Action been vetted? Does it need to be vetted?
Collaborator
Author
There was a problem hiding this comment.
Click to expand outdated comment about a different tool
Sure, you're right to ask and indeed I've already done an inspection.
You're also right that we should share this kind of info in the PR itself when introducing new tooling.
So here's a formal report from my findings.
Security Report: mheap/pin-github-action
SHA: 6550a5c31b612a439ed7e63161811d35c36dd873 (v3.4.0)
Summary
| Category | Assessment | Notes |
|---|---|---|
| Purpose | ✅ Legitimate | CLI/Action to pin GH Actions to SHAs |
| Author | ✅ Verified | Michael Heap - Sr. Director DevRel @Kong |
| Contributors | ✅ 10 | 9 humans + Dependabot |
| Commit Liveness | ✅ Active | 100 commits, v3.4.0 released Jun 22, 2025 |
| Stars | ✅ 141 | Decent adoption for utility tool |
| License | ✅ MIT | Auditable |
| Known CVEs | ✅ None | No advisories in Snyk or GitHub |
| OpenSSF Scorecard | No scorecard available | |
| Security Policy | No SECURITY.md |
Dependencies (package.json)
| Package | Version | Risk |
|---|---|---|
| @octokit/rest | ^21 | ✅ Official GitHub SDK |
| commander | ^13 | ✅ Well-maintained CLI framework |
| yaml | ^2.7.0 | ✅ Standard YAML parser |
| fast-glob | ^3.3.3 | ✅ Common glob utility |
| debug | ^4.4.0 | ✅ Standard debug utility |
| matcher | ^5.0.0 | ✅ Simple pattern matcher |
| escape-string-regexp | ^5.0.0 | ✅ Simple utility |
All dependencies are mainstream, well-maintained packages.
Security Scanning Results
| Scanner | Result |
|---|---|
| Snyk Security | ✅ No direct vulnerabilities |
| GitHub Advisory Database | ✅ No advisories |
| CVE Database | ✅ No CVEs found |
Your Mitigations (Already Applied)
| Mitigation | Status |
|---|---|
| Read-only workflow | ✅ Done |
| Hardened runner | ✅ Done |
| SHA pinned | ✅ 6550a5c... matches v3.4.0 |
Gaps to Address
- No SECURITY.md - Vulnerabilities reported via public issues
- No OpenSSF Scorecard - Project not indexed by OpenSSF
- No Dependabot visible - Though the project does receive dependency updates
Collaborator
There was a problem hiding this comment.
it looks like you reported on mheap/pin-github-action rather than zgosalvez/github-actions-ensure-sha-pinned-actions.
Collaborator
Author
There was a problem hiding this comment.
I'm sorry I got confused with one of the alternatives I was considering.
At this point I'll review it directly as a comparison.
These tools are complementary, not alternatives:
- Use mheap/pin-github-action to perform initial SHA pinning
- Use zgosalvez/github-actions-ensure-sha-pinned-actions to enforce pinning in CI
Summary
┌─────────────────┬─────────────────────────────────────────┬────────────────────────────────────────────────────┐
│ Aspect │ mheap/pin-github-action │ zgosalvez/github-actions-ensure-sha-pinned-actions │
├─────────────────┼─────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ Primary Purpose │ CLI tool to pin actions to SHAs │ GitHub Action to validate actions are pinned │
├─────────────────┼─────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ Use Case │ Developer workflow / one-time migration │ CI enforcement / ongoing validation │
├─────────────────┼─────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ Recommendation │ ✅ Use for initial pinning │ ✅ Use for CI enforcement │
└─────────────────┴─────────────────────────────────────────┴────────────────────────────────────────────────────┘
1.2 Repository Health
┌────────────────┬─────────────────────────┬────────────────────────────────────────────────────┐
│ Metric │ mheap/pin-github-action │ zgosalvez/github-actions-ensure-sha-pinned-actions │
├────────────────┼─────────────────────────┼────────────────────────────────────────────────────┤
│ Stars │ 141 │ 48 │
├────────────────┼─────────────────────────┼────────────────────────────────────────────────────┤
│ Forks │ 17 │ 16 │
├────────────────┼─────────────────────────┼────────────────────────────────────────────────────┤
│ Contributors │ 10 │ 8 │
├────────────────┼─────────────────────────┼────────────────────────────────────────────────────┤
│ Open Issues │ 19 │ 7 │
├────────────────┼─────────────────────────┼────────────────────────────────────────────────────┤
│ License │ MIT │ MIT │
├────────────────┼─────────────────────────┼────────────────────────────────────────────────────┤
│ Latest Release │ v3.4.0 (2025-06-22) │ v4.0.1 (2025-12-13) │
├────────────────┼─────────────────────────┼────────────────────────────────────────────────────┤
│ Last Push │ 2025-06-22 │ 2026-01-31 │
├────────────────┼─────────────────────────┼────────────────────────────────────────────────────┤
│ Archived │ No │ No │
└────────────────┴─────────────────────────┴────────────────────────────────────────────────────┘
Both projects are actively maintained. The zgosalvez action has more recent activity.
2. Security Analysis
2.1 zgosalvez/github-actions-ensure-sha-pinned-actions
Strengths:
┌──────────────────────────┬─────────────────────────────────────────────────────────────────────┐
│ Aspect │ Assessment │
├──────────────────────────┼─────────────────────────────────────────────────────────────────────┤
│ Minimal permissions │ No special permissions required; read-only operation │
├──────────────────────────┼─────────────────────────────────────────────────────────────────────┤
│ Native GitHub Action │ Runs in isolated runner environment │
├──────────────────────────┼─────────────────────────────────────────────────────────────────────┤
│ Node24 runtime │ Modern, supported Node.js version │
├──────────────────────────┼─────────────────────────────────────────────────────────────────────┤
│ Small dependency surface │ Only 3 runtime deps: @actions/core, @actions/glob, yaml │
├──────────────────────────┼─────────────────────────────────────────────────────────────────────┤
│ Bundled distribution │ Uses @vercel/ncc to bundle dependencies (reduces supply chain risk) │
├──────────────────────────┼─────────────────────────────────────────────────────────────────────┤
│ Allowlist support │ Can exempt trusted publishers (e.g., actions/*) │
├──────────────────────────┼─────────────────────────────────────────────────────────────────────┤
│ Dry-run mode │ Non-blocking validation option │
└──────────────────────────┴─────────────────────────────────────────────────────────────────────┘
Concerns:
┌─────────────────────────────────┬──────────┬────────────────────────────────────────────┐
│ Concern │ Severity │ Mitigation │
├─────────────────────────────────┼──────────┼────────────────────────────────────────────┤
│ Single maintainer (zgosalvez) │ Low │ MIT license allows forking; PR pins to SHA │
├─────────────────────────────────┼──────────┼────────────────────────────────────────────┤
│ Reports only first error │ Low │ Multiple CI runs will surface all issues │
├─────────────────────────────────┼──────────┼────────────────────────────────────────────┤
│ Allowlist misconfiguration risk │ Low │ Review allowlist in PR reviews │
└─────────────────────────────────┴──────────┴────────────────────────────────────────────┘
Dependencies (v4.0.1):
@actions/core@1.11.1 - Official GitHub toolkit (trusted)
@actions/glob@0.5.0 - Official GitHub toolkit (trusted)
yaml@2.8.2 - Well-maintained YAML parserI think it is safe to proceed.
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Harden Runner | ||
| uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 |
Collaborator
There was a problem hiding this comment.
Considering that security is the goal of the pull request, has this GH Action been vetted? Does it need to be vetted?
Collaborator
Author
There was a problem hiding this comment.
Security Report: step-security/harden-runner
SHA: e3f713f2d8f53843e71c69a996d56f51aa9adfb9 (v2.14.1)
Summary
| Category | Assessment | Notes |
|---|---|---|
| Purpose | ✅ Legitimate | EDR/security agent for GitHub Actions runners |
| Organization | ✅ Verified | stepsecurity.io - verified domain owner |
| Contributors | ✅ 13 | Professional security company |
| Commit Liveness | ✅ Active | 55 releases, v2.14.1 released Jan 26, 2025 |
| Stars | ✅ 952 | Strong adoption |
| License | ✅ Apache-2.0 | OSI-approved |
| OpenSSF Scorecard | ✅ 8.5/10 | Excellent score |
| Security Policy | ✅ Present | SECURITY.md with private disclosure (info@stepsecurity.io) |
| Adoption | ✅ Enterprise | Microsoft, Google, CISA, Kubernetes, AWS, Node.js |
OpenSSF Scorecard (v5.0.0) — Score: 8.5/10
| Check | Score | Notes |
|---|---|---|
| Binary-Artifacts | 10 | No binaries in repo |
| Branch-Protection | 8 | PRs required, 1 approver (not max) |
| CI-Tests | 10 | All PRs tested |
| Code-Review | 10 | All changesets reviewed |
| Dangerous-Workflow | 10 | No dangerous patterns |
| Dependency-Update-Tool | 10 | Dependabot enabled |
| License | 10 | Apache 2.0 |
| Maintained | 10 | 15 commits, 6 issues in 90 days |
| SAST | 10 | CodeQL on all commits |
| Security-Policy | 10 | SECURITY.md present |
| Token-Permissions | 10 | Least privilege |
| Pinned-Dependencies | 6 | Some deps not pinned by hash |
| Contributors | 6 | 2 contributing orgs |
| Vulnerabilities | 7 | 3 transitive dep vulnerabilities |
| CII-Best-Practices | 0 | No OpenSSF badge |
| Fuzzing | 0 | No fuzzing |
SHA Verification
| Item | Value |
|---|---|
| Scorecard commit | e3f713f2d8f53843e71c69a996d56f51aa9adfb9 |
| Your pinned SHA | e3f713f2d8f53843e71c69a996d56f51aa9adfb9 |
| Match | ✅ |
Organization Profile
- Company: StepSecurity Inc.
- Location: United States
- Verified domains: stepsecurity.io, www.stepsecurity.io
- Team: 6 members
- Focus: CI/CD security, GitHub Actions hardening
- Notable: Detected tj-actions/changed-files compromise (CVE-2025-30066)
Recommendation
✅ Approved for use
This is a professional security tool from a verified security company with:
- Excellent OpenSSF Scorecard (8.5/10)
- Enterprise adoption (Microsoft, Google, CISA)
- Active maintenance and security response
- All known CVEs patched in v2.14.1
- Proper security disclosure process
Note: I would actually push for increased adoption of this action to isolate the most critical actions on our project
- Add pinact v1.6.0 to bingo dependencies for reproducible builds
- Update validate-gh-actions to use pinact with --check and
--verify flags
- Add fix-gh-actions target for automatic SHA pinning
- Integrate validate-gh-actions into validate-go target to ensure
it runs
as part of the standard validation workflow
Using pinact eliminates the Node.js dependency and provides better
validation by verifying SHA/version comment pairs are correct.
mociarain
approved these changes
Feb 6, 2026
Collaborator
mociarain
left a comment
mociarain
left a comment
There was a problem hiding this comment.
I think this is good to merge as is but if there's more ping me to re-review
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Which issue this PR addresses:
Continuation of #4125 (abandoned PR for pinning GitHub Actions dependencies).
What this PR does / why we need it:
Pins all GitHub Actions to their full commit SHA for improved security, following supply chain security best practices. This prevents unexpected changes from compromised or modified action tags.
Changes
ensure-sha-pinned-actions.yml) that fails CI if unpinned actions are introducedvalidate-gh-actions) for local validation, integrated intovalidate-go-actionAction Versions (all updated to latest patch)
actions/checkoutde0fac2e4500...actions/setup-go7a3fe6cf4cb3...actions/setup-node6044e13b5dc4...step-security/harden-runnere3f713f2d8f5...coverallsapp/github-action648a8eb78e6d...golangci/golangci-lint-action1e7e51e771db...softprops/action-gh-releasea06a81a03ee4...oxsecurity/megalinter42bb470545e3...github/codeql-action5049b573e2cb...zgosalvez/github-actions-ensure-sha-pinned-actions6124774845927...Automation for future consistency
ensure-sha-pinned-actions.ymlruns on PRs that modify.github/workflows/and fails if any action is not pinned to SHAmake validate-gh-actionsto check locallyTest plan for issue:
make validate-gh-actionspasses locallyensure-sha-pinned-actionsworkflow runs correctlyIs there any documentation that needs to be updated for this PR?
No - the Makefile help target already documents the new
validate-gh-actionstarget.How do you know this will function as expected in production?