Pinned GitHub Action (SHA vs tag)

GitHub Actions can be referenced three ways in a workflow YAML's `uses:` field: by tag (`actions/checkout@v4`), by branch (`actions/checkout@main`), or by commit SHA (`actions/checkout@8e5e7e5...`).

Tags and branches are MUTABLE. The action maintainer (or anyone with write access) can re-point a tag or branch to a different commit at any time. Today's `actions/checkout@v4` is whatever the v4 tag currently points to; the bytes can change tomorrow without any version-number warning.

Commit SHAs are IMMUTABLE. `actions/checkout@8e5e7e5d6b48f1abe9d11d1...` will always be exactly the same code, forever. Pin to SHA and the action becomes content-addressed.

Threat 1: Maintainer compromise. An attacker phishes or credentials-stuffs a popular action's maintainer account. Pushes a malicious version. Retags v4 to the malicious commit. Every workflow using `actions/checkout@v4` runs the malicious code on the next run.

Threat 2: Intentional malicious release. The maintainer themselves goes bad — pushes a malicious version under an existing version tag (rare but documented).

Threat 3: GitHub-level compromise. An attacker compromises GitHub infrastructure and modifies tag refs. Extremely rare but covered by this defense.

All three threats reduce to 'the bytes behind a tag/branch ref are not what they were when you originally added the action.' Pinning to SHA defeats all three.

Pinning to SHA means you don't get automatic security updates. If the action maintainer ships a patch for a real vulnerability, your workflow keeps using the old (vulnerable) SHA until you manually update.

Standard mitigation: use Dependabot (or Renovate) to monitor action versions and open PRs to bump SHA when new releases ship. The bot reads the action's release feed and proposes a PR with the new SHA. Maintainer reviews + merges.

This converts the upgrade decision into a controlled, reviewed PR rather than an implicit silent upgrade on every workflow run. Best of both worlds: immutability of pinned SHAs + visibility into when upgrades happen.

Static rule: any `uses:` line that doesn't end in a 40-character hex SHA gets flagged. The rule is regex-trivial; the noisy part is exception handling for cases where the team has consciously chosen not to pin (rare for production workflows).

LGTM Security's rule id: workflow.action-pinned-to-mutable-ref. Severity is configurable per-rule — most teams set it to 'warn' (non-blocking PR comment) rather than 'block' because the false-positive rate on early-stage repos is high.

Similar checks in: OSSF Scorecard (Pinned-Dependencies), GitHub's actions analysis (deprecation warnings), CodeQL (custom queries).

Pinning is table stakes when:

(1) You publish a package (npm/PyPI/RubyGems). Your release pipeline IS the supply chain for your users.

(2) Your workflow has access to production secrets. A compromised action with secrets in env is a full incident.

(3) You're a public repo with many contributors. Surface area for action-source tampering is larger.

Pinning is overkill when:

(1) Solo throwaway side project, no secrets, no deployment. Tag refs are fine.

(2) Cost of automation maintenance exceeds risk reduction (rare but possible for very small teams).

Most professional teams default to SHA pinning + Dependabot — the maintenance cost is minor (one PR per action update per month-ish) and the risk reduction is real.