Script Valley
CI/CD with GitHub Actions
Security and Best PracticesLesson 6.2

How to pin GitHub Actions to a commit SHA for supply chain security

SHA pinning, supply chain attack, compromised action, Dependabot for actions, @v4 vs SHA pin, verified action badge, third-party action risk

Why Version Tags Are Not Enough

Mutable version tag vs immutable SHA pin

When you use actions/checkout@v4, GitHub resolves that tag to a commit. A malicious actor who compromises the action repository can move the v4 tag to point to a different — potentially malicious — commit. SHA pinning prevents this.

SHA Pinning

# Pinned to an immutable commit SHA
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
- uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af  # v4.1.0

The SHA is immutable — once a commit exists, its hash never changes. A comment with the version number keeps the file readable. If an action author moves a tag, your pinned workflow is unaffected.

Keeping Pins Updated

Enable Dependabot for GitHub Actions in .github/dependabot.yml:

version: 2
updates:
  - package-ecosystem: github-actions
    directory: /
    schedule:
      interval: weekly

Dependabot opens PRs to update SHA pins automatically. Review the changelog before merging. This balances security (pinned) with maintenance (automated updates).

Up next

How to use minimum permissions with GITHUB_TOKEN

Sign in to track progress