Pin GitHub Actions to a full length commit SHA for Security

Last weekend, the popular GitHub Action tj-actions/changed-files was compromised. https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/ https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised The issue was solved, but similar incidents could happen again in the future. To prevent such issues, pinning action versions by full commit hash is recommended.

Mar 17, 2025 - 09:03
 0
Pin GitHub Actions to a full length commit SHA for Security

Last weekend, the popular GitHub Action tj-actions/changed-files was compromised.

The issue was solved, but similar incidents could happen again in the future.
To prevent such issues, pinning action versions by full commit hash is recommended.