Version tags like actions/checkout@v5 are mutable - maintainers can move them, re-release them, or force-push. Your workflow could run different code tomorrow without you changing anything.
Pin to commit SHAs instead. One command to get the SHA: gh api repos/actions/checkout/commits/v5.0.1 --jq '.sha'
Then use it: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
Full article: https://cloudnativeengineer.substack.com/p/github-actions-reproducibility-security
Top comments (0)