Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
imglorp 2 hours ago

Public service announcement

You can pin actions versions to their hash. Some might say this is a best practice for now. It looks like this, where the comment says where the hash is supposed to point.

      Old -->   uses: actions/checkout@v4
      New -->   uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
There is a tool to sweep through your repo and automate this: https://github.com/mheap/pin-github-action
lijok 2 hours ago | parent | next [-]

The problem is actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 probably doesn’t do this same pinning, and the actions ecosystem is such an intertwined mess that any single compromised action can propagate to the rest

imglorp 2 hours ago | parent | next [-]

Yes, true, but at least the fire won't spread through this one point. Hopefully all of your upstreams can be persuaded to pin also.

derfniw 2 hours ago | parent | prev [-]

Well, it is a git commit hash of the action repo that contains the transpiled/bundled javascript.

Like: https://github.com/actions/checkout/tree/11bd71901bbe5b1630c...

So I'm pretty sure that for the same commit hash, I'll be executing the same content.

hobofan 2 hours ago | parent [-]

This is true specifically for actions/checkout, but composite actions can have other actions as dependencies, and unless the composite action pins the versions of its dependencies, it is vulnerable for this attack.

This article[0] gives a good overview of the challenges, and also has a link to a concrete attack where this was exploited.

[0]: https://nesbitt.io/2025/12/06/github-actions-package-manager...

rtaylorgarlock 2 hours ago | parent | prev | next [-]

My preferred tool to solve these issues is called 'gitlab'

righthand an hour ago | parent [-]

CircleCI

TravisCI

Jenkins

scripts dir

Etc

b00ty4breakfast 32 minutes ago | parent [-]

yeah, github's business model is not really a git repository but a bunch of other (admittedly useful) stuff that traps people in their ecosystem.

kanzure 2 hours ago | parent | prev | next [-]

I've always been worried about their backend changing and somehow named tags with a previous commit hash working for an attacker to give something you didn't expect for the commit hash.

woodruffw 2 hours ago | parent | prev [-]

See also pinact[1], gha-update[2], and zizmor's unpinned-uses[3].

The main desiderata with these kinds of action pinning tools is that they (1) leave a tag comment, (2) leave that comment in a format that Dependabot and/or Renovate understands for bumping purposes, and (3) actually put the full tag in the comment, rather than the cutesy short tag that GitHub encourages people to make mutable (v4.x.y instead of v4).

[1]: https://github.com/suzuki-shunsuke/pinact

[2]: https://github.com/davidism/gha-update

[3]: https://docs.zizmor.sh/audits/#unpinned-uses