Lobsters is a community-driven platform for sharing and discussing links to articles, tutorials, and projects related to technology and programming. Readers can learn about a wide range of topics, from software development and system administration to cybersecurity and artificial intelligence. With user submissions, comments, and voting, Lobsters provides a platform for collaborative learning and knowledge sharing among technology enthusiasts.

Lobsters

SHA pinning in GitHub Actions is widely recommended as a security best practice, but it has a critical flaw: GitHub does not validate that a commit SHA belongs to the referenced repository. Because forks share a Git object graph, an attacker can submit a PR that replaces a pinned action's SHA with one from an attacker-controlled fork while keeping the owner/repo reference unchanged. Reviewers see only a SHA bump and assume it's a safe version update. The post argues that SHA pinning is security theater — it trades mutable-but-scoped tags for immutable-but-unscoped SHAs, which is arguably worse. The recommendation is to introduce provenance checks that verify a SHA actually originates from the expected repository, and for GitHub to enforce tag immutability by default.

The Comforting Lie Of SHA Pinning

If “use SHAs” is not sufficient, what is?