Skip to content

fix(security): pin GitHub Actions to commit SHAs in CI/publish workflows#120

Open
XananasX7 wants to merge 1 commit into
google:mainfrom
XananasX7:fix/security-pin-actions
Open

fix(security): pin GitHub Actions to commit SHAs in CI/publish workflows#120
XananasX7 wants to merge 1 commit into
google:mainfrom
XananasX7:fix/security-pin-actions

Conversation

@XananasX7

Copy link
Copy Markdown

Summary

This workflow uses mutable tag references for GitHub Actions. Tag-pinned actions can be silently redirected to malicious code (compromised maintainer, tag deletion + recreation, repo takeover). Any action running in a job that holds PYPI_TOKEN / PYPI_API_TOKEN can exfiltrate that token and publish a backdoored release, poisoning every downstream user.

Fix

All action references pinned to their immutable commit SHA (tag preserved as comment). Follows the GitHub security hardening guide.

Mutable tag references (e.g. checkout@v2, setup-python@v1,
pypa/gh-action-pypi-publish@v1.4.2, astral-sh/setup-uv@v5) can be
silently redirected to malicious code. If a tag-pinned action runs in
a job that holds PYPI_TOKEN the attacker can publish a backdoored
release, poisoning every downstream user of this package.

Pin all action references to their immutable commit SHA. The original
tag is preserved as a comment for human readability.
@google-cla

google-cla Bot commented Jun 28, 2026

Copy link
Copy Markdown

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant