Objective
Add an automated workflow or policy that detects uses: entries without a pinned full SHA in GitHub Actions workflows.
Context
AD-17 recommends pinning new Actions, but the repository does not yet enforce this rule across existing workflows. A separate automation can scan workflows and flag uses: lines that omit a full 40-character SHA.
Scope
- Implement a scanner workflow or policy that inspects
.github/workflows/** for uses: entries without a full SHA.
- Surface findings as a CI check, PR comment, or an automated issue, and optionally fail CI on new unpinned
uses: entries.
- Optionally provide an automated suggestion/PR that replaces loose refs with the latest pinned SHA for maintainers to review.
- Document the policy and remediation steps in
SECURITY.md or docs/workflow-security.md.
Rationale
Manual review of workflow pins is error prone. Automated detection reduces supply-chain risk by ensuring PRs introducing unpinned third-party Actions are flagged early.
Benefits
- Reduces supply-chain regression risk from unpinned Actions.
- Lowers review burden by automatically flagging problematic workflow changes.
- Provides clear remediation guidance or automated suggestions.
Definition of Done
Milestone
1.0 Stabilize MVP
Objective
Add an automated workflow or policy that detects
uses:entries without a pinned full SHA in GitHub Actions workflows.Context
AD-17 recommends pinning new Actions, but the repository does not yet enforce this rule across existing workflows. A separate automation can scan workflows and flag
uses:lines that omit a full 40-character SHA.Scope
.github/workflows/**foruses:entries without a full SHA.uses:entries.SECURITY.mdordocs/workflow-security.md.Rationale
Manual review of workflow pins is error prone. Automated detection reduces supply-chain risk by ensuring PRs introducing unpinned third-party Actions are flagged early.
Benefits
Definition of Done
uses:in.github/workflows/**.Milestone
1.0 Stabilize MVP