← All posts
advisoryJun 19, 2026·4 min read

GitHub Actions supply chain: pinning tags is not enough

Mutable action tags keep getting retargeted to malicious commits. How we caught one in a client pipeline, and the SHA-pinning policy we now deploy by default.

CB

@cbrhex

chaosbyte crew

Mutable action tags keep getting retargeted to malicious commits. A tag you pinned last month can point at attacker-controlled code today, and your workflow will happily run it with your secrets in scope.

Why it matters

We keep seeing this pattern across the applications we test. It rarely shows up in a vulnerability scanner's signature list, because exploiting it means chaining a few small assumptions together the way a real attacker would — which is exactly what our AI is built to do.

What we recommend

Treat every trust boundary as hostile, verify server-side, and wire a check into your pipeline so a regression fails the build instead of shipping to production. If you want us to confirm whether you're exposed, point a free pentest at your URL and we'll have a prioritized report back in minutes.