GA-C001: Unpinned action version
Warning Security
Why This Matters
Using a mutable version tag like @v4 allows the action maintainer to push breaking changes or malicious code to that tag without your knowledge. Pin to a full commit SHA to ensure immutable, reproducible builds. The tj-actions/changed-files supply chain attack (March 2025) compromised 23,000+ repos via tag mutation.
How to Fix
Pin the action to a specific commit SHA
Before (incorrect)
uses: actions/checkout@v4After (correct)
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4Rule Details
- Rule Code
- GA-C001
- Severity
- Warning
- Category
- Security