Security: Pin GitHub Actions to commit SHAs

[joshuayoes]

Summary

All CI/CD workflows reference GitHub Actions by mutable tag (e.g. @v4) instead of immutable commit SHA. A compromised upstream action could exfiltrate repository secrets including HOMEBREW_TAP_TOKEN and GITHUB_TOKEN.

Affected Files

• .github/workflows/ci.yml
• .github/workflows/release.yml

Current Code

ci.yml uses:

- uses: actions/checkout@v4
- uses: actions/setup-go@v5
- uses: actions/setup-node@v4

release.yml uses:

- uses: actions/checkout@v4
- uses: actions/setup-go@v5
- uses: goreleaser/goreleaser-action@v6

Risk

Tags are mutable — a compromised or hijacked upstream repository can re-point a tag to malicious code. Since release.yml has contents: write permissions and uses GITHUB_TOKEN, a supply-chain attack could:

1. Exfiltrate secrets (GITHUB_TOKEN, any other secrets)
2. Modify release artifacts (backdoored binaries)
3. Push malicious code to the repository

Remediation

Pin every uses: to the full commit SHA and add a comment with the version for readability:

# ci.yml
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2

# release.yml
- uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219c277f3f99673a4f3ba0 # v6.0.0

Consider adding Dependabot or StepSecurity pin-github-action to automate SHA resolution and updates.

References

• GitHub Security Hardening: Using third-party actions
• SLSA Supply Chain Levels

[steipete]

Fixed on main in 2892765. The CI and release workflows now pin every third-party action to the current immutable commit SHA, with version comments for readability:

• actions/checkout v6.0.2
• actions/setup-go v6.4.0
• actions/setup-node v6.4.0
• actions/cache v5.0.5
• goreleaser/goreleaser-action v7.2.1

Proof: main CI run 25039281831 executed the pinned checkout/setup/cache action SHAs successfully and passed.