Why
Both CI jobs reference actions/checkout@v1, a mutable tag that can be silently re-pointed to a different (potentially malicious) commit, allowing a supply-chain attack to execute arbitrary code in CI with repository write permissions.
Current state
.github/workflows/ci.yml lines 9 and 23:
uses: actions/checkout@v1
A mutable tag means the tag owner can redirect it to any commit at any time. If actions/checkout@v1 were re-pointed, both CI jobs would silently execute the new code on the next push with full GITHUB_TOKEN permissions.
Ideal state
- Both
uses: actions/checkout@v1 references are replaced with a pinned commit SHA (e.g. actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683) with the version tag noted in a comment.
- The SHA is immutable — it cannot be redirected without changing the workflow file itself.
Out of scope
- Pinning other third-party actions that may be added to the workflow in the future (a separate audit).
- Upgrading from v1 to v4 (can be done simultaneously but is a separate decision).
Starting points
.github/workflows/ci.yml lines 9 and 23 — the two actions/checkout@v1 references to pin
QA plan
- Replace both
@v1 references with the current actions/checkout release SHA (check the official releases page for the latest stable SHA).
- Push to a branch — expect CI passes with the pinned action.
- Inspect the workflow file — expect both action references contain a full 40-character SHA, with the version noted in a comment.
Done when
Both actions/checkout references in the CI workflow are pinned to a full commit SHA, not a mutable tag.
Why
Both CI jobs reference
actions/checkout@v1, a mutable tag that can be silently re-pointed to a different (potentially malicious) commit, allowing a supply-chain attack to execute arbitrary code in CI with repository write permissions.Current state
.github/workflows/ci.ymllines 9 and 23:A mutable tag means the tag owner can redirect it to any commit at any time. If
actions/checkout@v1were re-pointed, both CI jobs would silently execute the new code on the next push with fullGITHUB_TOKENpermissions.Ideal state
uses: actions/checkout@v1references are replaced with a pinned commit SHA (e.g.actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683) with the version tag noted in a comment.Out of scope
Starting points
.github/workflows/ci.ymllines 9 and 23 — the twoactions/checkout@v1references to pinQA plan
@v1references with the currentactions/checkoutrelease SHA (check the official releases page for the latest stable SHA).Done when
Both
actions/checkoutreferences in the CI workflow are pinned to a full commit SHA, not a mutable tag.