Skip to content

GitHub Actions pinned by tag, not SHA #90

New issue
New issue
Open
Open
GitHub Actions pinned by tag, not SHA#90
Labels
ci-cdCI/CD & release pipelineinfoNice to have improvementsecuritySecurity concern
@robocopklaus

Description

@robocopklaus
robocopklaus
opened on Feb 15, 2026

Description

All GitHub Actions are pinned to major version tags (e.g., `@v6`, `@v4`) rather than full commit SHAs. Tags are mutable and could theoretically be compromised. This is a deliberate trade-off between security and maintainability.

File(s)

  • `.github/workflows/release.yml` (lines 37, 42, 47, 57, 84, 91, 94, 97, 118)

Evidence

```yaml
uses: actions/checkout@v6
uses: pnpm/action-setup@v4
uses: cycjimmy/semantic-release-action@v5
uses: docker/login-action@v3
```

Recommendation

Consider pinning to full commit SHAs for highest security, especially for third-party actions like `cycjimmy/semantic-release-action`. Use Dependabot or Renovate to automatically update SHA pins.

Risk if Ignored

Minimal risk — standard practice for most projects. SHA pinning is stricter but harder to maintain.

Found by: CI/CD & Release Pipeline Specialist (Agent 3), Security Specialist (Agent 4) | Reviewed by: Critique Agent

Metadata

Metadata

Assignees

No one assigned

    Labels

    ci-cdCI/CD & release pipelineinfoNice to have improvementsecuritySecurity concern

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions