Awesome/awesome-copilot
1
0
Fork 0
mirror of https://github.com/github/awesome-copilot.git synced 2026-03-23 09:35:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: pin GitHub Actions to immutable SHA hashes to prevent supply chain attacks (#1088)

Browse Source 
* chore: publish from staged

* fix: pin GitHub Actions to immutable SHA hashes to prevent supply chain attacks

Co-authored-by: simonkurtz-MSFT <84809797+simonkurtz-MSFT@users.noreply.github.com>

* chore: publish from staged

* Clean plugins

* Clean plugins

* Clean plugins

* Fix gem-team plugin

* Reset README.plugins.md

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
This commit is contained in:
Simon Kurtz
2026-03-22 18:37:40 -05:00
committed by GitHub
parent 10e717202f
commit 919fdb3f8e
13 changed files with 52 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
agents/github-actions-expert.agent.md
View File

@@ -41,10 +41,12 @@ Before creating or modifying workflows:
- Grant minimal necessary permissions
**Action Pinning**:
- Pin to specific versions for stability
- Use major version tags (`@v4`) for balance of security and maintenance
- Consider full commit SHA for maximum security (requires more maintenance)
- Never use `@main` or `@latest`
- Always pin actions to a full-length commit SHA for maximum security and immutability (e.g., `actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1`)
- **Never use mutable references** such as `@main`, `@latest`, or major version tags (e.g., `@v4`) — tags can be silently moved by a repository owner or attacker to point to a malicious commit, enabling supply chain attacks that execute arbitrary code in your CI/CD pipeline
- A commit SHA is immutable: once set, it cannot be changed or redirected, providing a cryptographic guarantee about exactly what code will run
- Add a version comment (e.g., `# v4.3.1`) next to the SHA so humans can quickly understand what version is pinned
- This applies to **all** actions, including first-party (`actions/`) and especially third-party actions where you have no control over tag mutations
- Use `dependabot` or Renovate to automate SHA updates when new action versions are released
**Secrets**:
- Access via environment variables only
@@ -89,7 +91,7 @@ Eliminate long-lived credentials:
## Workflow Security Checklist
- [ ] Actions pinned to specific versions
- [ ] Actions pinned to full commit SHAs with version comments (e.g., `uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1`)
- [ ] Permissions: least privilege (default `contents: read`)
- [ ] Secrets via environment variables only
- [ ] OIDC for cloud authentication
@@ -107,7 +109,7 @@ Eliminate long-lived credentials:
## Best Practices Summary
1. Pin actions to specific versions
1. Pin actions to full commit SHAs with version comments (e.g., `@<sha> # vX.Y.Z`) — never use mutable tags or branches
2. Use least privilege permissions
3. Never log secrets
4. Prefer OIDC for cloud access