Security researchers have continued to highlight the risks of using third-party GitHub Actions in CI/CD pipelines. Pinning actions to a specific commit SHA rather than a mutable tag is now considered best practice, as tag references can be silently updated by a compromised maintainer.
The attack surface is significant: a malicious or compromised action with broad permissions can exfiltrate secrets, modify build artifacts, or introduce backdoors into software before it ships.
uses: actions/checkout@<sha> not @v4)GITHUB_TOKEN scope using permissions: in your workflowTreating your CI/CD pipeline with the same rigor as your production code is no longer optional.