Pinning GitHub Actions for Reproducibility and Security

Published: 1 month ago (December 25, 2025 at 08:07 PM EST)

1 min read

Source: Dev.to

Cover image for Pinning GitHub Actions for Reproducibility and Security

Why version tags can be unsafe

Version tags like actions/checkout@v5 are mutable—maintainers can move them, re‑release them, or even force‑push. This means your workflow could end up running different code tomorrow without any change on your side.

Pin to a commit SHA

Pinning an action to a specific commit SHA guarantees that the exact same code is used every time.

# Get the SHA for a specific tag (e.g., v5.0.1)
gh api repos/actions/checkout/commits/v5.0.1 --jq '.sha'

Then reference the SHA in your workflow:

- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1

For a deeper dive, read the full article.

Back to Blog

The $0 Localization Stack for Solo .NET Developers

How I Translated My .NET App to 5 Languages for $0 As a Solo Dev I’m a solo developer with a medical‑practice app built in .NET. It started as an English‑only...

Building an AI-Powered Code Editor: (part 2) LLM like interpreter

It’s Not a Prompt. It’s a Procedural DSL in Natural Language While building LLM CodeForge, an agentic editor that allows LLMs to read, modify, and test code au...

Networking for DevOps (Senior-Level, Production-Focused)

What a 6‑Year DevOps Engineer MUST Know Expectation At this level, companies expect you to: - Debug connectivity issues under pressure - Understand network flo...

# The Engineering Behind Zero-Buffer 4K Streaming: A Deep Dive into High-Performance Smart4k IPTV Architecture

The Engineering Behind Zero‑Buffer 4K Streaming: A Deep Dive into High‑Performance IPTV Architecture Tags: webdev streaming architecture performance Canonical U...