What is the purpose of pinning GitHub Actions to a full commit SHA instead of a tag, and what security risk does it mitigate?

Question

Github — Hard

What is the purpose of pinning GitHub Actions to a full commit SHA instead of a tag, and what security risk does it mitigate?

Accepted Answer

Pinning GitHub Actions to a full commit SHA instead of a tag mitigates supply chain attacks by ensuring the exact audited code is run. This approach prevents malicious actors from overwriting tags to point to compromised code. Incorrect options, such as improving performance or reducing API calls, do not address the security risk.