GitHub View Source

Improve your GitHub Actions security

14 Jan 2020 in Tech

Just before Christmas, Julien Renaux published a thought provoking article on the risks of using GitHub actions that you don’t own. You can read the whole thing, but Julien provides a summary for us at the top:

TL;DR: Using GitHub actions with branch names or tags is unsafe. Use commit hash instead.

I agree with Julien that using arbitary actions is a risk, but as always it’s a compromise between security and making life easy for ourselves. Specifying a commit hash each time we want to upgrade could become painful very quickly, especially if you’re using a large number of actions.

With that in mind, I thought about how we could solve the problem with automation and came up with the following solution.


pin-github-action is a command line tool that allows you to target any commit reference, be it a branch, tag or sha whilst pinning to a specific sha in your actions.

It works by looking for any uses step in your workflows and replacing it with a sha and a comment.

uses: actions/checkout@master


uses: actions/checkout@db41740e12847bb616a339b75eb9414e711417df # pin@master

This allows us to depend on a specific sha whilst still knowing what the original pinned version was. If we run the tool again, it will look up the latest sha for master (whether it’s a sha, tag or branch, in that order) and update the workflow to use that sha.

Using pin-github-action

The tool is written in Node, which means you’ll need to install it with npm.

npm install -g pin-github-action

If you get a permissions error, you may need to run sudo npm install instead

Once it’s installed, you provide the tool with a workflow file and it takes care of the rest.

pin-github-action /path/to/.github/workflows/your-name.yml

If you’re using any private actions, you’ll need to provide the tool with a GitHub access token that can read the relevant repository

GH_ADMIN_TOKEN=<your-token-here> pin-github-action /path/to/.github/workflows/your-name.yml


If you’re interested in reading the code or contributing the project, the source is available on GitHub