Every third-party action uses version tags (@v6, @v1, @v7, @v1.72.0, @v0.0.12, @v23.2.0, @V3, etc.) instead of SHA commit hashes. Tags in GitHub Actions are mutable — they can be force-pushed or reassigned. An attacker who compromises an action maintainer's account could re-point a tag to malicious code. The only safe pinning mechanism is @<40-char-sha>.
REPRODUCTION: Run gh api repos/actions/checkout/git/ref/tags/v6 and observe that tags reference a commit that can be moved.
IMPACT: Supply chain attack via tag reassignment. All 10 workflows are affected.
Every third-party action uses version tags (@v6, @v1, @v7, @v1.72.0, @v0.0.12, @v23.2.0, @V3, etc.) instead of SHA commit hashes. Tags in GitHub Actions are mutable — they can be force-pushed or reassigned. An attacker who compromises an action maintainer's account could re-point a tag to malicious code. The only safe pinning mechanism is @<40-char-sha>.
REPRODUCTION: Run gh api repos/actions/checkout/git/ref/tags/v6 and observe that tags reference a commit that can be moved.
IMPACT: Supply chain attack via tag reassignment. All 10 workflows are affected.