Skip to content

Pin third-party GitHub Actions to commit SHAs #15528

New issue
New issue
Open
Open
Pin third-party GitHub Actions to commit SHAs#15528
@FredKSchott

Description

@FredKSchott
FredKSchott
opened on Mar 9, 2026

Describe the problem

All GitHub Actions across the SvelteKit repository reference third-party actions using mutable version tags (e.g., @v1, @v6) rather than immutable commit SHAs. Since tags are mutable in Git, pinning to a commit SHA is the recommended best practice for supply chain hardening — it ensures that the exact code you've reviewed is what runs in CI, regardless of what happens upstream. This is especially relevant for the changesets/action@v1 reference in the release workflow, which runs with npm publishing credentials and write permissions.

Unpinned actions include actions/checkout@v6, pnpm/action-setup@v4.2.0, actions/setup-node@v6, actions/upload-artifact@v7, denoland/setup-deno@v2, and actions/github-script@v8 across 6 workflow files and 2 composite actions.

Describe the proposed solution

Replace all mutable action tags with full-length commit SHA pins:

# Before
- uses: changesets/action@v1
- uses: actions/checkout@v6

# After
- uses: changesets/action@a4b00f7bec9143cdcce5e20c1e2ea1b4461b8c3e # v1
- uses: actions/checkout@eae0d12e5e4e5d5d5e5e5d5e5e5e5d5e5e5e5d5e # v6

Configure Dependabot or use the existing Renovate configuration to automatically propose updates when new action versions are released, ensuring the SHA pins stay current while maintaining security.

Alternatives considered

  • Restricting workflows to only use first-party actions/* — but this doesn't cover essential third-party actions like changesets/action and denoland/setup-deno.
  • Using GitHub's built-in action allowlist feature at the organization level — this limits which actions can be used but doesn't prevent tag mutation on allowed actions.

Importance

would make my life easier

Additional Information

Verification shows all actions use mutable tags:

grep -rn 'uses:' .github/workflows/*.yml .github/actions/*/action.yml | grep -v '#' | grep -vP '@[0-9a-f]{40}'

For reference, the tj-actions/changed-files incident in March 2023 demonstrated how mutable action tags can be a supply chain risk in practice.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions