Overview
We want to make sure all our 3rd party GHAs specify commit IDs rather than just tags. Tags can be reassigned to different commits after they're created. Commit IDs are unique to each commit. The popular actions-cool/issues-helper GHA has been hacked and its tags reassigned to a malicious code commit.
Action Items
Resources/Instructions
AI discussion
Yes, you can reference external GitHub Actions by commit SHA. This is actually one of the most secure and precise ways to reference actions.
How to reference by commit
You can specify a GitHub Action using its commit SHA in your workflow file like this:
- uses: owner/repo@<commit-sha>
For example:
- uses: actions/checkout@a81bbbf8298c0fa03ea29cdc473d45eba93ac6d0
Why use commit references
Pinning to a specific commit provides several benefits:
- Immutability: The action code cannot change without you updating the reference
- Security: You're not affected by unexpected changes to branches like
main or v1
- Reproducibility: Your workflows will always run the exact same code
- Transparency: You know precisely which code is executing
Other referencing methods
For comparison, you can also reference actions by:
- Branch:
owner/repo@main (least secure—code can change)
- Tag/Release:
owner/repo@v1.2.3 (convenient but the tag could be reassigned)
- Commit SHA:
owner/repo@a81bbbf8298c0fa03ea29cdc473d45eba93ac6d0 (most secure)
Finding the commit SHA
You can get a commit SHA from:
- The repository's commit history on GitHub
- Running
git rev-parse HEAD locally
- The GitHub API
Many security best practices recommend using full commit SHAs for external actions in production workflows to prevent supply chain attacks, though it does require more maintenance as actions are updated.
Tools to automate this
Yes, there are several tools that can help you reference GitHub Actions by commit SHA:
Popular tools
GitHub CLI — The official command-line tool is probably your best option. You can use it to query commit information and automate the process of finding and updating action references.
Dependabot — GitHub's built-in dependency management tool can automatically update your action references. You can configure it to pin actions to specific commit SHAs for security, though by default it typically updates to tags or branches.
Renovate — A more flexible third-party alternative to Dependabot that offers extensive customization options for how you want to manage and pin action versions, including commit SHAs.
action-versions — A GitHub Action itself that can help you check and update your action references, including converting them to commit SHAs.
Mend SCA (Software Composition Analysis) — Provides security scanning and can help identify and update pinned dependencies, including actions.
Manual approach
If you prefer a lightweight solution, you can:
- Use
git ls-remote to find commit SHAs: git ls-remote https://github.com/owner/repo refs/heads/main
- Manually update your workflow YAML files
- Use a simple script to automate this across multiple workflows
What's your primary goal? Are you looking to automatically keep action references updated, or do you need a one-time tool to convert existing action references to commit SHAs?
Overview
We want to make sure all our 3rd party GHAs specify commit IDs rather than just tags. Tags can be reassigned to different commits after they're created. Commit IDs are unique to each commit. The popular
actions-cool/issues-helperGHA has been hacked and its tags reassigned to a malicious code commit.Action Items
Resources/Instructions
actions-cool/issues-helperAI discussion
Yes, you can reference external GitHub Actions by commit SHA. This is actually one of the most secure and precise ways to reference actions.
How to reference by commit
You can specify a GitHub Action using its commit SHA in your workflow file like this:
For example:
Why use commit references
Pinning to a specific commit provides several benefits:
mainorv1Other referencing methods
For comparison, you can also reference actions by:
owner/repo@main(least secure—code can change)owner/repo@v1.2.3(convenient but the tag could be reassigned)owner/repo@a81bbbf8298c0fa03ea29cdc473d45eba93ac6d0(most secure)Finding the commit SHA
You can get a commit SHA from:
git rev-parse HEADlocallyMany security best practices recommend using full commit SHAs for external actions in production workflows to prevent supply chain attacks, though it does require more maintenance as actions are updated.
Tools to automate this
Yes, there are several tools that can help you reference GitHub Actions by commit SHA:
Popular tools
GitHub CLI — The official command-line tool is probably your best option. You can use it to query commit information and automate the process of finding and updating action references.
Dependabot — GitHub's built-in dependency management tool can automatically update your action references. You can configure it to pin actions to specific commit SHAs for security, though by default it typically updates to tags or branches.
Renovate — A more flexible third-party alternative to Dependabot that offers extensive customization options for how you want to manage and pin action versions, including commit SHAs.
action-versions — A GitHub Action itself that can help you check and update your action references, including converting them to commit SHAs.
Mend SCA (Software Composition Analysis) — Provides security scanning and can help identify and update pinned dependencies, including actions.
Manual approach
If you prefer a lightweight solution, you can:
git ls-remoteto find commit SHAs:git ls-remote https://github.com/owner/repo refs/heads/mainWhat's your primary goal? Are you looking to automatically keep action references updated, or do you need a one-time tool to convert existing action references to commit SHAs?