Problem
The workflows in this repository reference third-party GitHub Actions by mutable tags (e.g. actions/checkout@v4, dtolnay/rust-toolchain@stable). Git tags are mutable: anyone with push access to an action's repository - including via a stolen maintainer token - can repoint an existing tag (even a version tag that is already trusted) to malicious code. Because a workflow runs with access to repository secrets and the GITHUB_TOKEN, a single compromised action can exfiltrate credentials or tamper with releases.
These attacks have been happening more and more frequently. Most notably:
aquasecurity/trivy-action (March 2026, threat actor "TeamPCP"): an attacker with write access force-repointed 76 of 77 release tags (and all 7 tags in aquasecurity/setup-trivy) to malicious commits.tj-actions/changed-files (CVE-2025-30066, March 2025): an attacker compromised a maintainer PAT and retroactively repointed every version tag to a single malicious commit that dumped CI/CD secrets into build logs; ~23,000 repositories were affected.reviewdog actions (CVE-2025-30154, March 2025): the stepping-stone compromise used to steal the tj-actions token. Same root cause: mutable tags.
User's of cargo-chef's DockerHub image or the released binary cannot 100% ensure that the build artifacts (i.e. the final Docker image) produced by cargo-chef are not tempered with by some poisoned payload. This prevents security-aware users from using cargo-chef to speed up their build pipelines.
Why SHA pinning fixes this
A full-length commit SHA is an immutable reference. Per GitHub's hardening guidance, "Pinning an action to a full-length commit SHA is currently the only way to use an action as an immutable release". Tags can be moved; a SHA cannot.
Both CrowdStrike and Microsoft give the same primary recommendation in response to the Trivy compromise: pin actions by commit SHA rather than tag.
Proposed change
- Pin every action in
.github/workflows/ to a full-length commit SHA, with a trailing comment recording the human-readable version (e.g. # v4.3.1) so the intent stays readable and Dependabot can still propose updates.
- Update
.github/dependabot.yml so the github-actions ecosystem receives patch-level updates (security fixes frequently ship as patch releases, and Dependabot rewrites both the pinned SHA and the version comment), grouped into a single weekly PR to limit noise.
- This can only be done by @LukeMathWalker: Set "Require actions to be pinned to a full-length commit SHA" in the repo settings
References
Problem
The workflows in this repository reference third-party GitHub Actions by mutable tags (e.g.
actions/checkout@v4,dtolnay/rust-toolchain@stable). Git tags are mutable: anyone with push access to an action's repository - including via a stolen maintainer token - can repoint an existing tag (even a version tag that is already trusted) to malicious code. Because a workflow runs with access to repository secrets and theGITHUB_TOKEN, a single compromised action can exfiltrate credentials or tamper with releases.These attacks have been happening more and more frequently. Most notably:
aquasecurity/trivy-action(March 2026, threat actor "TeamPCP"): an attacker with write access force-repointed 76 of 77 release tags (and all 7 tags inaquasecurity/setup-trivy) to malicious commits.tj-actions/changed-files(CVE-2025-30066, March 2025): an attacker compromised a maintainer PAT and retroactively repointed every version tag to a single malicious commit that dumped CI/CD secrets into build logs; ~23,000 repositories were affected.reviewdogactions (CVE-2025-30154, March 2025): the stepping-stone compromise used to steal thetj-actionstoken. Same root cause: mutable tags.User's of
cargo-chef's DockerHub image or the released binary cannot 100% ensure that the build artifacts (i.e. the final Docker image) produced bycargo-chefare not tempered with by some poisoned payload. This prevents security-aware users from usingcargo-chefto speed up their build pipelines.Why SHA pinning fixes this
A full-length commit SHA is an immutable reference. Per GitHub's hardening guidance, "Pinning an action to a full-length commit SHA is currently the only way to use an action as an immutable release". Tags can be moved; a SHA cannot.
Both CrowdStrike and Microsoft give the same primary recommendation in response to the Trivy compromise: pin actions by commit SHA rather than tag.
Proposed change
.github/workflows/to a full-length commit SHA, with a trailing comment recording the human-readable version (e.g.# v4.3.1) so the intent stays readable and Dependabot can still propose updates..github/dependabot.ymlso thegithub-actionsecosystem receives patch-level updates (security fixes frequently ship as patch releases, and Dependabot rewrites both the pinned SHA and the version comment), grouped into a single weekly PR to limit noise.References