Action Pinning: 4 issues found

[hekkos-app]

Hekkos found 4 Action Pinning configuration issues in this repository.

_{This is part of the main security audit.}

Issue details

• Issue 1: Workflow 'branch.yml' has 2 action(s) not pinned to full commit SHA: ./.github/actions/docker@unknown, ./.github/actions/precommit@unknown
• Issue 2: Workflow 'cd.yml' has 2 action(s) not pinned to full commit SHA: tailscale/github-action@v4, cssnr/stack-deploy-action@v1.5.0
• Issue 3: Workflow 'main.yml' has 2 action(s) not pinned to full commit SHA: ./.github/actions/sanity@unknown, commitizen-tools/commitizen-action@0.27.0
• Issue 4: Workflow 'pages.yml' has 1 action(s) not pinned to full commit SHA: actions/cache@v5

---

Why this matters

Pinning actions to commits provides stability and reduces supply chain risk. This offers:

• Assurance that the action code you reviewed is what runs
• Protection against upstream actions being updated to malicious code
• Control over when to adopt action updates
• Note: Requires periodic review to get security updates in actions

---

How to fix

1. Review all GitHub Actions in your workflow files (.github/workflows/*.yml)
2. Replace tag-based references (e.g., actions/checkout@v4) with commit SHA references
3. Use full-length SHA-256 hashes (40 characters) for third-party actions
4. Add comments with the tag name for readability

Example:

- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

Documentation:

• Security hardening for GitHub Actions