Skip to content

Pin third-party GitHub Actions to commit SHAs#7

Merged
OBress merged 1 commit into
mainfrom
security/pin-action-shas
May 12, 2026
Merged

Pin third-party GitHub Actions to commit SHAs#7
OBress merged 1 commit into
mainfrom
security/pin-action-shas

Conversation

@OBress

@OBress OBress commented May 12, 2026

Copy link
Copy Markdown
Owner

Summary

  • Pin every third-party action in release.yml and ci.yml to a commit SHA (with the original tag kept as a trailing comment)
  • Defense against the tag-takeover vector exploited by the TanStack supply-chain compromise (May 2026)

Why

Tag-pinned actions (@v4, @v2, @v0.2.19) are re-resolved on every run. A maintainer — or anyone who steals their token — can push a new commit to a moving tag and the next workflow run executes that code with the repo's release token.

Notes

  • dtolnay/rust-toolchain@stable is intentionally left unpinned: that action reads github.action_ref to pick which Rust toolchain to install, so SHA-pinning would break it.
  • Bumping pinned versions later: re-run gh api repos/OWNER/REPO/commits/TAG --jq '.sha' and update.

🤖 Generated with Claude Code

Tag-pinned actions (@v4, @v2, @v0.2.19) are vulnerable to tag
takeover: a maintainer or anyone who steals their token can push a
new commit to the moving tag and the next workflow run executes that
code with the release token. The TanStack supply-chain compromise
(May 2026) exploited exactly this pattern.

SHA-pinning ensures we only run the bytes we audited. The original
tag is kept as a comment after each SHA for readability.

dtolnay/rust-toolchain@stable is intentionally left unpinned: that
action reads github.action_ref to pick which Rust toolchain to
install, so SHA-pinning would break it.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@OBress OBress merged commit d08668b into main May 12, 2026
2 checks passed
@OBress OBress deleted the security/pin-action-shas branch May 12, 2026 17:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant