Summary
Our GitHub Actions workflows currently reference third-party and first-party actions by mutable tags (e.g. @v4, @v2.6.1, @nightly). Tags are mutable references and can be silently repointed by a compromised maintainer account or a malicious insider, allowing arbitrary code execution in the context of our CI with access to the repository's GITHUB_TOKEN and any configured secrets.
Pinning each uses: reference to a full-length commit SHA eliminates this class of supply chain attack, because a SHA cannot be repointed without collision. This is the approach recommended by GitHub's own security hardening guide and by OpenSSF Scorecard's Pinned-Dependencies check.
Affected workflows
The following references need to be pinned to full commit SHAs (with the human-readable version retained as a trailing comment so Dependabot can still propose updates):
.github/workflows/audit.yml
actions/checkout@v4rustsec/audit-check@v2
.github/workflows/cla.yml
actions/create-github-app-token@v2contributor-assistant/github-action@v2.6.1
.github/workflows/extension.yaml
actions/checkout@v4dtolnay/rust-toolchain@nightlyactions/cache@v4actions/upload-artifact@v4
Note that dtolnay/rust-toolchain@nightly is a moving branch rather than a tag, so pinning it to a SHA also has the side effect of making the installed toolchain reproducible — version bumps will become explicit PRs rather than silent drift.
Proposed approach
- Replace each
uses: reference with the form owner/repo@<full-40-char-sha> # vX.Y.Z.
- Enable Dependabot's
github-actions ecosystem (if not already) so pinned SHAs are kept current via automated PRs.
- Optionally add a CI check (e.g.
zgosalvez/github-actions-ensure-sha-pinned-actions, itself SHA-pinned) to prevent regressions when new workflows or steps are added.
Acceptance criteria
Summary
Our GitHub Actions workflows currently reference third-party and first-party actions by mutable tags (e.g.
@v4,@v2.6.1,@nightly). Tags are mutable references and can be silently repointed by a compromised maintainer account or a malicious insider, allowing arbitrary code execution in the context of our CI with access to the repository'sGITHUB_TOKENand any configured secrets.Pinning each
uses:reference to a full-length commit SHA eliminates this class of supply chain attack, because a SHA cannot be repointed without collision. This is the approach recommended by GitHub's own security hardening guide and by OpenSSF Scorecard'sPinned-Dependenciescheck.Affected workflows
The following references need to be pinned to full commit SHAs (with the human-readable version retained as a trailing comment so Dependabot can still propose updates):
.github/workflows/audit.ymlactions/checkout@v4rustsec/audit-check@v2.github/workflows/cla.ymlactions/create-github-app-token@v2contributor-assistant/github-action@v2.6.1.github/workflows/extension.yamlactions/checkout@v4dtolnay/rust-toolchain@nightlyactions/cache@v4actions/upload-artifact@v4Note that
dtolnay/rust-toolchain@nightlyis a moving branch rather than a tag, so pinning it to a SHA also has the side effect of making the installed toolchain reproducible — version bumps will become explicit PRs rather than silent drift.Proposed approach
uses:reference with the formowner/repo@<full-40-char-sha> # vX.Y.Z.github-actionsecosystem (if not already) so pinned SHAs are kept current via automated PRs.zgosalvez/github-actions-ensure-sha-pinned-actions, itself SHA-pinned) to prevent regressions when new workflows or steps are added.Acceptance criteria
uses:line in.github/workflows/is pinned to a full commit SHA with a trailing version comment.github-actionsdependencies.CONTRIBUTING.md).