Skip to content

Pin GitHub Actions to SHA and add enforcement #4584

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mociarain merged 2 commits into from
Feb 6, 2026
+139 −37
Merged

Pin GitHub Actions to SHA and add enforcement #4584

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cf822d2
Pin GitHub Actions to SHA and add enforcement
tuxerrante Feb 3, 2026
86d76d0
Replace npm pin-github-action with Go-based pinact
tuxerrante Feb 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .bingo/Variables.mk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,3 +101,9 @@ $(MOCKGEN): $(BINGO_DIR)/mockgen.mod
@echo "(re)installing $(GOBIN)/mockgen-v0.6.0"
@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=mockgen.mod -o=$(GOBIN)/mockgen-v0.6.0 "go.uber.org/mock/mockgen"

PINACT := $(GOBIN)/pinact-v1.6.0
$(PINACT): $(BINGO_DIR)/pinact.mod
@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
@echo "(re)installing $(GOBIN)/pinact-v1.6.0"
@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=pinact.mod -o=$(GOBIN)/pinact-v1.6.0 "github.com/suzuki-shunsuke/pinact/cmd/pinact"

5 changes: 5 additions & 0 deletions .bingo/pinact.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
module _ // Auto generated by https://github.com/bwplotka/bingo. DO NOT EDIT

go 1.25.3

require github.com/suzuki-shunsuke/pinact v1.6.0 // cmd/pinact
47 changes: 47 additions & 0 deletions .bingo/pinact.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
github.com/cpuguy83/go-md2man/v2 v2.0.5 h1:ZtcqGrnekaHpVLArFSe4HK5DoKx1T0rq2DwVB0alcyc=
github.com/cpuguy83/go-md2man/v2 v2.0.5/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-github/v70 v70.0.0 h1:/tqCp5KPrcvqCc7vIvYyFYTiCGrYvaWoYMGHSQbo55o=
github.com/google/go-github/v70 v70.0.0/go.mod h1:xBUZgo8MI3lUL/hwxl3hlceJW1U8MVnXP3zUyI+rhQY=
github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY=
github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
github.com/spf13/afero v1.14.0 h1:9tH6MapGnn/j0eb0yIXiLjERO8RB6xIVZRDCX7PtqWA=
github.com/spf13/afero v1.14.0/go.mod h1:acJQ8t0ohCGuMN3O+Pv0V0hgMxNYDlvdk+VTfyZmbYo=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/suzuki-shunsuke/logrus-error v0.1.4 h1:nWo98uba1fANHdZ9Y5pJ2RKs/PpVjrLzRp5m+mRb9KE=
github.com/suzuki-shunsuke/logrus-error v0.1.4/go.mod h1:WsVvvw6SKSt08/fB2qbnsKIMJA4K1MYCUprqsBJbMiM=
github.com/suzuki-shunsuke/pinact v1.6.0 h1:2QvSzREOquwLwKXhF9Hj0AInE/Rl63SZz9dKkHFC6so=
github.com/suzuki-shunsuke/pinact v1.6.0/go.mod h1:FDUMck0mmL0mcnNZ23Vjh/aOR5cIdZhF1IIpGksT4dQ=
github.com/suzuki-shunsuke/urfave-cli-help-all v0.0.4 h1:YGHgrVjGTYHY98II6zijXUHP+OyvrzSCvd8m9iUcaK8=
github.com/suzuki-shunsuke/urfave-cli-help-all v0.0.4/go.mod h1:sSi6xaUaHfaqu32ECLeyE7NTMv+ZM5dW0JikhllaalY=
github.com/urfave/cli/v2 v2.27.6 h1:VdRdS98FNhKZ8/Az8B7MTyGQmpIr36O1EHybx/LaZ4g=
github.com/urfave/cli/v2 v2.27.6/go.mod h1:3Sevf16NykTbInEnD0yKkjDAeZDS0A6bzhBH5hrMvTQ=
github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 h1:gEOO8jv9F4OT7lGCjxCBTO/36wtF6j2nSip77qHd4x4=
github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1/go.mod h1:Ohn+xnUBiLI6FVj/9LpzZWtj1/D6lUovWYBkxHVV3aM=
golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc=
golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
2 changes: 2 additions & 0 deletions .bingo/variables.env
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,3 +36,5 @@ GOVULNCHECK="${GOBIN}/govulncheck-v1.1.4"

MOCKGEN="${GOBIN}/mockgen-v0.6.0"

PINACT="${GOBIN}/pinact-v1.6.0"

8 changes: 4 additions & 4 deletions .github/workflows/check-coverage.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,10 +37,10 @@ jobs:
workdir: .
steps:
- name: Checkout code
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Install Go
uses: actions/setup-go@v6
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version-file: go.mod

Expand All @@ -64,7 +64,7 @@ jobs:
-- -coverprofile="$GITHUB_WORKSPACE/cover-${{ matrix.name }}.out" $PATTERN

- name: Coveralls
uses: coverallsapp/github-action@v2
uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6
with:
parallel: true
flag-name: ${{ matrix.name }}
Expand All @@ -77,7 +77,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Coveralls Finished
uses: coverallsapp/github-action@v2
uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6
with:
parallel-finished: true
carryforward: "cmd,pkg-api,pkg-frontend,pkg-operator,pkg-util,pkg-other"
26 changes: 13 additions & 13 deletions .github/workflows/ci-go.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,15 +16,15 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Set up Golang
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version-file: go.mod
- run: |
Expand All @@ -39,15 +39,15 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Set up Golang
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version-file: go.mod
- name: Run make generate
Expand All @@ -64,19 +64,19 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Set up Golang
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version-file: go.mod
- name: Run golangci-lint
uses: golangci/golangci-lint-action@v9
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
with:
version: v2.8.0
args: -v --timeout 15m
Expand All @@ -89,15 +89,15 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Set up Golang
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version-file: go.mod
- run: make validate-go-action
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/ci-guardrailpolicies.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Install opa binary
run: |
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/ci-python.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
image: registry.access.redhat.com/ubi9/python-311:latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: validate
run: |
make test-python
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/codeql-analysis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,11 +36,11 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Set up Go
if: matrix.language == 'go'
uses: actions/setup-go@v6
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version-file: go.mod

Expand All @@ -49,15 +49,15 @@ jobs:
go mod download

- name: Initialize CodeQL
uses: github/codeql-action/init@v4
uses: github/codeql-action/init@5049b573e2cbf31c2dbde702a60c24fe476f0766 # v4
with:
languages: ${{ matrix.language }}
config-file: ./.github/codeql/codeql-config-${{matrix.language}}.yml

- name: Autobuild
uses: github/codeql-action/autobuild@v4
uses: github/codeql-action/autobuild@5049b573e2cbf31c2dbde702a60c24fe476f0766 # v4

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
uses: github/codeql-action/analyze@5049b573e2cbf31c2dbde702a60c24fe476f0766 # v4
with:
category: "/language:${{matrix.language}}"
30 changes: 30 additions & 0 deletions .github/workflows/ensure-sha-pinned-actions.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: Ensure SHA Pinned Actions

on:
push:
branches:
- master
paths:
- '.github/workflows/**'
pull_request:
paths:
- '.github/workflows/**'

permissions:
contents: read

jobs:
ensure-sha-pinned-actions:
name: Ensure SHA Pinned Actions
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
Copy link
Collaborator

@komidore64 komidore64 Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Considering that security is the goal of the pull request, has this GH Action been vetted? Does it need to be vetted?

Copy link
Collaborator Author

@tuxerrante tuxerrante Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security Report: step-security/harden-runner

SHA: e3f713f2d8f53843e71c69a996d56f51aa9adfb9 (v2.14.1)

Summary

Category Assessment Notes
Purpose ✅ Legitimate EDR/security agent for GitHub Actions runners
Organization ✅ Verified stepsecurity.io - verified domain owner
Contributors ✅ 13 Professional security company
Commit Liveness ✅ Active 55 releases, v2.14.1 released Jan 26, 2025
Stars ✅ 952 Strong adoption
License ✅ Apache-2.0 OSI-approved
OpenSSF Scorecard ✅ 8.5/10 Excellent score
Security Policy ✅ Present SECURITY.md with private disclosure (info@stepsecurity.io)
Adoption ✅ Enterprise Microsoft, Google, CISA, Kubernetes, AWS, Node.js

OpenSSF Scorecard (v5.0.0) — Score: 8.5/10

Check Score Notes
Binary-Artifacts 10 No binaries in repo
Branch-Protection 8 PRs required, 1 approver (not max)
CI-Tests 10 All PRs tested
Code-Review 10 All changesets reviewed
Dangerous-Workflow 10 No dangerous patterns
Dependency-Update-Tool 10 Dependabot enabled
License 10 Apache 2.0
Maintained 10 15 commits, 6 issues in 90 days
SAST 10 CodeQL on all commits
Security-Policy 10 SECURITY.md present
Token-Permissions 10 Least privilege
Pinned-Dependencies 6 Some deps not pinned by hash
Contributors 6 2 contributing orgs
Vulnerabilities 7 3 transitive dep vulnerabilities
CII-Best-Practices 0 No OpenSSF badge
Fuzzing 0 No fuzzing

SHA Verification

Item Value
Scorecard commit e3f713f2d8f53843e71c69a996d56f51aa9adfb9
Your pinned SHA e3f713f2d8f53843e71c69a996d56f51aa9adfb9
Match

Organization Profile

Recommendation

Approved for use

This is a professional security tool from a verified security company with:

  • Excellent OpenSSF Scorecard (8.5/10)
  • Enterprise adoption (Microsoft, Google, CISA)
  • Active maintenance and security response
  • All known CVEs patched in v2.14.1
  • Proper security disclosure process

Note: I would actually push for increased adoption of this action to isolate the most critical actions on our project

with:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Ensure SHA pinned actions
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@6124774845927d14c601359ab8138699fa5b70c3 # v4.0.1
Copy link
Collaborator

@komidore64 komidore64 Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Considering that security is the goal of the pull request, has this GH Action been vetted? Does it need to be vetted?

Copy link
Collaborator Author

@tuxerrante tuxerrante Feb 4, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Click to expand outdated comment about a different tool

Sure, you're right to ask and indeed I've already done an inspection.
You're also right that we should share this kind of info in the PR itself when introducing new tooling.

So here's a formal report from my findings.

Security Report: mheap/pin-github-action

SHA: 6550a5c31b612a439ed7e63161811d35c36dd873 (v3.4.0)

Summary

Category Assessment Notes
Purpose ✅ Legitimate CLI/Action to pin GH Actions to SHAs
Author ✅ Verified Michael Heap - Sr. Director DevRel @Kong
Contributors ✅ 10 9 humans + Dependabot
Commit Liveness ✅ Active 100 commits, v3.4.0 released Jun 22, 2025
Stars ✅ 141 Decent adoption for utility tool
License ✅ MIT Auditable
Known CVEs ✅ None No advisories in Snyk or GitHub
OpenSSF Scorecard ⚠️ Not indexed No scorecard available
Security Policy ⚠️ Missing No SECURITY.md

Dependencies (package.json)

Package Version Risk
@octokit/rest ^21 ✅ Official GitHub SDK
commander ^13 ✅ Well-maintained CLI framework
yaml ^2.7.0 ✅ Standard YAML parser
fast-glob ^3.3.3 ✅ Common glob utility
debug ^4.4.0 ✅ Standard debug utility
matcher ^5.0.0 ✅ Simple pattern matcher
escape-string-regexp ^5.0.0 ✅ Simple utility

All dependencies are mainstream, well-maintained packages.

Security Scanning Results

Scanner Result
Snyk Security ✅ No direct vulnerabilities
GitHub Advisory Database ✅ No advisories
CVE Database ✅ No CVEs found

Your Mitigations (Already Applied)

Mitigation Status
Read-only workflow ✅ Done
Hardened runner ✅ Done
SHA pinned 6550a5c... matches v3.4.0

Gaps to Address

  1. No SECURITY.md - Vulnerabilities reported via public issues
  2. No OpenSSF Scorecard - Project not indexed by OpenSSF
  3. No Dependabot visible - Though the project does receive dependency updates

Copy link
Collaborator

@komidore64 komidore64 Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it looks like you reported on mheap/pin-github-action rather than zgosalvez/github-actions-ensure-sha-pinned-actions.

Copy link
Collaborator Author

@tuxerrante tuxerrante Feb 4, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm sorry I got confused with one of the alternatives I was considering.
At this point I'll review it directly as a comparison.

These tools are complementary, not alternatives:

Summary
  ┌─────────────────┬─────────────────────────────────────────┬────────────────────────────────────────────────────┐
  │     Aspect      │         mheap/pin-github-action         │ zgosalvez/github-actions-ensure-sha-pinned-actions │
  ├─────────────────┼─────────────────────────────────────────┼────────────────────────────────────────────────────┤
  │ Primary Purpose │ CLI tool to pin actions to SHAs         │ GitHub Action to validate actions are pinned       │
  ├─────────────────┼─────────────────────────────────────────┼────────────────────────────────────────────────────┤
  │ Use Case        │ Developer workflow / one-time migration │ CI enforcement / ongoing validation                │
  ├─────────────────┼─────────────────────────────────────────┼────────────────────────────────────────────────────┤
  │ Recommendation  │ ✅ Use for initial pinning              │ ✅ Use for CI enforcement                          │
  └─────────────────┴─────────────────────────────────────────┴────────────────────────────────────────────────────┘

1.2 Repository Health
  ┌────────────────┬─────────────────────────┬────────────────────────────────────────────────────┐
  │     Metric     │ mheap/pin-github-action │ zgosalvez/github-actions-ensure-sha-pinned-actions │
  ├────────────────┼─────────────────────────┼────────────────────────────────────────────────────┤
  │ Stars          │ 141                     │ 48                                                 │
  ├────────────────┼─────────────────────────┼────────────────────────────────────────────────────┤
  │ Forks          │ 17                      │ 16                                                 │
  ├────────────────┼─────────────────────────┼────────────────────────────────────────────────────┤
  │ Contributors   │ 10                      │ 8                                                  │
  ├────────────────┼─────────────────────────┼────────────────────────────────────────────────────┤
  │ Open Issues    │ 19                      │ 7                                                 │
  ├────────────────┼─────────────────────────┼────────────────────────────────────────────────────┤
  │ License        │ MIT                     │ MIT                                                │
  ├────────────────┼─────────────────────────┼────────────────────────────────────────────────────┤
  │ Latest Release │ v3.4.0 (2025-06-22)     │ v4.0.1 (2025-12-13)                                │
  ├────────────────┼─────────────────────────┼────────────────────────────────────────────────────┤
  │ Last Push      │ 2025-06-22              │ 2026-01-31                                         │
  ├────────────────┼─────────────────────────┼────────────────────────────────────────────────────┤
  │ Archived       │ No                      │ No                                                 │
  └────────────────┴─────────────────────────┴────────────────────────────────────────────────────┘
  Both projects are actively maintained. The zgosalvez action has more recent activity.

  2. Security Analysis

  2.1 zgosalvez/github-actions-ensure-sha-pinned-actions

  Strengths:
  ┌──────────────────────────┬─────────────────────────────────────────────────────────────────────┐
  │          Aspect          │                             Assessment                              │
  ├──────────────────────────┼─────────────────────────────────────────────────────────────────────┤
  │ Minimal permissions      │ No special permissions required; read-only operation                │
  ├──────────────────────────┼─────────────────────────────────────────────────────────────────────┤
  │ Native GitHub Action     │ Runs in isolated runner environment                                 │
  ├──────────────────────────┼─────────────────────────────────────────────────────────────────────┤
  │ Node24 runtime           │ Modern, supported Node.js version                                   │
  ├──────────────────────────┼─────────────────────────────────────────────────────────────────────┤
  │ Small dependency surface │ Only 3 runtime deps: @actions/core, @actions/glob, yaml             │
  ├──────────────────────────┼─────────────────────────────────────────────────────────────────────┤
  │ Bundled distribution     │ Uses @vercel/ncc to bundle dependencies (reduces supply chain risk) │
  ├──────────────────────────┼─────────────────────────────────────────────────────────────────────┤
  │ Allowlist support        │ Can exempt trusted publishers (e.g., actions/*)                     │
  ├──────────────────────────┼─────────────────────────────────────────────────────────────────────┤
  │ Dry-run mode             │ Non-blocking validation option                                      │
  └──────────────────────────┴─────────────────────────────────────────────────────────────────────┘
  Concerns:
  ┌─────────────────────────────────┬──────────┬────────────────────────────────────────────┐
  │             Concern             │ Severity │                 Mitigation                 │
  ├─────────────────────────────────┼──────────┼────────────────────────────────────────────┤
  │ Single maintainer (zgosalvez)   │ Low      │ MIT license allows forking; PR pins to SHA │
  ├─────────────────────────────────┼──────────┼────────────────────────────────────────────┤
  │ Reports only first error        │ Low      │ Multiple CI runs will surface all issues   │
  ├─────────────────────────────────┼──────────┼────────────────────────────────────────────┤
  │ Allowlist misconfiguration risk │ Low      │ Review allowlist in PR reviews             │
  └─────────────────────────────────┴──────────┴────────────────────────────────────────────┘
  Dependencies (v4.0.1):
  @actions/core@1.11.1    - Official GitHub toolkit (trusted)
  @actions/glob@0.5.0     - Official GitHub toolkit (trusted)
  yaml@2.8.2              - Well-maintained YAML parser

I think it is safe to proceed.

4 changes: 2 additions & 2 deletions .github/workflows/maintenance.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ on:
push:
pull_request_target:
types:
- synchronize
- synchronize

permissions:
contents: read
Expand All @@ -15,7 +15,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: check if prs are dirty
uses: eps1lon/actions-label-merge-conflict@releases/2.x
uses: eps1lon/actions-label-merge-conflict@fd1f295ee7443d13745804bc49fe158e240f6c6e # releases/2.1.0
with:
dirtyLabel: needs-rebase
removeOnDirtyLabel: ready-for-review
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/npm-audit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: setup Node.JS
uses: actions/setup-node@v6
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
with:
node-version: 16.16.0

Expand All @@ -33,10 +33,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: setup Node.JS
uses: actions/setup-node@v6
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
with:
node-version: 16.16.0

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/prune-tags.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/release-note.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ github.ref }}
fetch-depth: 0
Expand All @@ -25,7 +25,7 @@ jobs:
run: ./.github/generate_release_note.sh ${{ github.workspace }}/CHANGELOG.txt

- name: Release
uses: softprops/action-gh-release@v2
uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
with:
body_path: ${{ github.workspace }}/CHANGELOG.txt
name: Release ${{ github.ref_name }}
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/yamllint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: yamllint
uses: oxsecurity/megalinter/flavors/ci_light@v9
uses: oxsecurity/megalinter/flavors/ci_light@42bb470545e359597e7f12156947c436e4e3fb9a # v9.3.0
16 changes: 14 additions & 2 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -296,7 +296,7 @@ test-e2e: e2e.test
test-go: generate build-all validate-go lint-go unit-test-go

.PHONY: validate-go
validate-go: validate-imports
validate-go: validate-go-action
gofmt -s -w cmd hack pkg test
go run ./hack/licenses
@[ -z "$$(ls pkg/util/*.go 2>/dev/null)" ] || (echo error: go files are not allowed in pkg/util, use a subpackage; exit 1)
Expand All @@ -305,7 +305,7 @@ validate-go: validate-imports
go test -tags e2e -run ^$$ ./test/e2e/...

.PHONY: validate-go-action
validate-go-action: validate-imports validate-lint-go-fix
validate-go-action: validate-imports validate-lint-go-fix validate-gh-actions
go run ./hack/licenses -validate -ignored-go vendor,pkg/client,.git -ignored-python python/client,python/az/aro/azext_aro/aaz,vendor,.git
@[ -z "$$(ls pkg/util/*.go 2>/dev/null)" ] || (echo error: go files are not allowed in pkg/util, use a subpackage; exit 1)
@[ -z "$$(find -name "*:*")" ] || (echo error: filenames with colons are not allowed on Windows, please rename; exit 1)
Expand Down Expand Up @@ -342,6 +342,18 @@ validate-lint-go-fix: lint-go-fix
exit 1; \
fi

.PHONY: validate-gh-actions
validate-gh-actions: $(PINACT) ## Validate GitHub Actions are pinned to SHA
@echo "Checking that all GitHub Actions are pinned to SHA..."
@$(PINACT) run --check --verify
@echo "All GitHub Actions are properly pinned to SHA"

.PHONY: fix-gh-actions
fix-gh-actions: $(PINACT) ## Pin unpinned GitHub Actions to SHA
@echo "Pinning GitHub Actions to SHA..."
@$(PINACT) run
@echo "Done. Please review the changes."

.PHONY: lint-admin-portal
lint-admin-portal:
docker build --platform=linux/amd64 --build-arg REGISTRY=$(REGISTRY) --build-arg BUILDER_REGISTRY=$(BUILDER_REGISTRY) -f Dockerfile.portal_lint . -t linter:latest --no-cache
Expand Down
Loading