Skip to content

actions/checkout pinned to mutable @v1 tag — supply chain substitution risk in CI #228

Description

@ooloth

Why

Both CI jobs reference actions/checkout@v1, a mutable tag that can be silently re-pointed to a different (potentially malicious) commit, allowing a supply-chain attack to execute arbitrary code in CI with repository write permissions.

Current state

.github/workflows/ci.yml lines 9 and 23:

uses: actions/checkout@v1

A mutable tag means the tag owner can redirect it to any commit at any time. If actions/checkout@v1 were re-pointed, both CI jobs would silently execute the new code on the next push with full GITHUB_TOKEN permissions.

Ideal state

  • Both uses: actions/checkout@v1 references are replaced with a pinned commit SHA (e.g. actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683) with the version tag noted in a comment.
  • The SHA is immutable — it cannot be redirected without changing the workflow file itself.

Out of scope

  • Pinning other third-party actions that may be added to the workflow in the future (a separate audit).
  • Upgrading from v1 to v4 (can be done simultaneously but is a separate decision).

Starting points

  • .github/workflows/ci.yml lines 9 and 23 — the two actions/checkout@v1 references to pin

QA plan

  1. Replace both @v1 references with the current actions/checkout release SHA (check the official releases page for the latest stable SHA).
  2. Push to a branch — expect CI passes with the pinned action.
  3. Inspect the workflow file — expect both action references contain a full 40-character SHA, with the version noted in a comment.

Done when

Both actions/checkout references in the CI workflow are pinned to a full commit SHA, not a mutable tag.

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions