GA-C002: Mutable action tag
Warning Security
Why This Matters
Using a branch ref like @main or @master means the action version changes with every commit to that branch. This makes builds non-reproducible and exposes the workflow to untested or malicious changes. Pin to a commit SHA or at minimum a specific version tag.
How to Fix
Pin the action to a specific commit SHA or version tag
Before (incorrect)
uses: actions/checkout@mainAfter (correct)
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4Rule Details
- Rule Code
- GA-C002
- Severity
- Warning
- Category
- Security