Skip to content

ci: pin all GitHub Actions to full commit SHAs to prevent supply-chain attacks#9160

Open
XananasX7 wants to merge 1 commit into
google:masterfrom
XananasX7:fix/security-pin-actions-to-commit-shas
Open

ci: pin all GitHub Actions to full commit SHAs to prevent supply-chain attacks#9160
XananasX7 wants to merge 1 commit into
google:masterfrom
XananasX7:fix/security-pin-actions-to-commit-shas

Conversation

@XananasX7

Copy link
Copy Markdown

Summary

The release.yml workflow uses multiple GitHub Actions pinned to mutable version tags (e.g. @v6, @v5, @v1, @v2). An attacker who compromises any of these upstream Action repositories can silently change what @v5 or @v6 points to, and that malicious code will execute the next time a release is published — with access to repository secrets (NPM_TOKEN, TWINE_TOKEN, NUGET_API_KEY, CARGO_TOKEN, MAVEN_GPG_PRIVATE_KEY, etc.).

Affected file

.github/workflows/release.yml

Vulnerability class

Supply-chain attack via mutable Action tag references (CWE-829).

Affected actions (before → after)

Action Was Now
actions/checkout @v6 @df4cb1c069e1874edd31b4311f1884172cec0e10
actions/setup-node @v6 @48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e
actions/setup-python @v6 @ece7cb06caefa5fff74198d8649806c4678c61a1
actions/setup-dotnet @v5 @26b0ec14cb23fa6904739307f278c14f94c95bf1
actions/setup-java @v5 (×2) @1bcf9fb12cf4aa7d266a90ae39939e61372fe520
actions-rs/toolchain @v1 @16499b5e05bf2e26879000db0c1d13f7e13fa3af
katyo/publish-crates @v2 (×2) @02cc2f1ad653fb25c7d1ff9eb590a8a50d06186b

Fix

All actions are now pinned to their full immutable commit SHA, with the version tag kept as an inline comment for human readability.

@XananasX7 XananasX7 requested a review from dbaileychess as a code owner June 28, 2026 02:59
@github-actions github-actions Bot added the CI Continuous Integration label Jun 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

CI Continuous Integration

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant