GitHub Actions Still Not Dogfooding Immutable Releases
It’s been frustrating to watch the hundreds of supply chain attacks this past year, with many stemming from the foot guns in the security model of Github Actions. To understand the problem, one only has to look at all the hoops Atral had to be aware of and jump through to tighten their security footprint on Github.
Unfortunately this level of effort is unrealistic to expect for the entire community to be educated about. I believe an approach like Google Cloud’s “Secure by default” philosophy would be more appropriate.
Github offers a little-known feature called immutable releases, which while not being the single silver bullet solution, I believe Github could better champion this feature as an example of good practices. For example, the single most used action, actions/checkout, still doesn’t use immutable releases as of May 2026 https://github.com/actions/checkout/issues/2316
This blog post was motivated by a comment I left on Github expresssing my thoughts on this situation.
additional references: