By ByteBot
GitHub’s CI pipeline has been the supply chain’s soft underbelly for two years. The trivy-action compromise silently hijacked 10,000 workflows in a single afternoon this March. The TanStack attack two weeks ago poisoned 42 npm packages through a GitHub Actions breach. GitHub has now published a security roadmap for Actions — dependency locking, a native egress firewall, and scoped secrets — and for the first time, the platform is addressing these problems at the infrastructure level instead of pushing the burden onto individual developers.
GitHub Admitted the Problem
The roadmap announcement puts it plainly: “attackers are targeting CI/CD automation itself, not just the software it builds.” That sentence is worth sitting with. For years, the advice has been to pin your actions to SHA, use OIDC, minimize token permissions — all good advice, all individually insufficient. The patchwork held until attackers started targeting the patchwork itself. The new roadmap introduces five capabilities organized around three layers: deterministic execution, policy-driven controls, and infrastructure-level observability.
Dependency Locking: Go-Style Lockfile for Your CI Pipeline
The most impactful feature is workflow dependency locking. GitHub is introducing a dependencies: section in workflow YAML that locks every action — direct and transitive — to a specific commit SHA. If you’re familiar with Go’s go.mod + go.sum, it’s the same concept applied to your CI pipeline.
Here’s why this matters more than manual SHA pinning. When you pin actions/checkout to a SHA, you’ve locked the top-level action. But composite actions can call other actions internally — three or four levels deep — and those transitive references are completely invisible to you today. They resolve at runtime from whatever mutable tag or branch the action author used. You pinned the front door and left the back windows open.
The new lockfile flattens the entire dependency tree. Every node gets locked. Dependency changes surface as diffs in PRs, so you see exactly what changed before it runs. A hash mismatch stops execution before a single job fires.
# Today — mutable tag, can be poisoned by moving the tag
- uses: actions/checkout@v4
# Better today — SHA-pinned, but transitive deps still drift
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
# Coming: lockfile pins the entire tree including composite action internals
dependencies:
actions/checkout@v4:
sha: 11bd71901bbe5b1630ceea73d27597364c9af683
verified: trueTimeline: public preview in 3-6 months, GA at 6-9 months.
Native Egress Firewall: Outside the VM, Out of Reach
Third-party tools like StepSecurity’s Harden-Runner already offer egress filtering for GitHub Actions. They work — until they don’t. These solutions run inside the runner VM, which means an attacker with root access can disable them. It’s a meaningful control that has a meaningful ceiling.
GitHub’s native egress firewall operates at Layer 7, outside the runner VM entirely. If an attacker gets root inside the runner, the firewall is still running and still blocking. That’s the architectural difference that matters.
It ships with two operational modes. Monitor mode logs all outbound traffic correlated to the specific workflow run, job, step, and initiating command — giving you the visibility to build an informed allowlist without blocking anything yet. Enforce mode then blocks anything not explicitly permitted. The right approach is to run monitor mode first, understand what your workflows actually need to reach, then enforce. Locking down egress blindly breaks builds.
Scoped Secrets: Least Privilege Finally Applied to CI
Scoped secrets address a problem that’s been quietly causing incidents: implicit secret inheritance. Reusable workflows today can inherit credentials from their callers in ways that expose secrets to execution paths that were never intentionally authorized. Write access to a repository also currently implies the ability to manage secrets — a permissions coupling that has no defensible justification.
Scoped secrets let you bind credentials to specific jobs, steps, or reusable workflows. A deployment secret is only available during the deploy step, not the entire workflow. Compromising one step no longer means access to everything the pipeline can touch.
One piece of this is already GA: OIDC custom property claims shipped on April 2, 2026. You can now use organization-level repository custom properties as claims in OIDC tokens, enabling attribute-based access control in cloud providers without hard-coded repository allow lists. If you use OIDC for cloud access — and you should — this is worth implementing now.
Don’t Wait for GA — Do This Now
The main features hit public preview in 3-6 months and GA in 6-9 months. The attacks are happening now. Five things to do before the roadmap ships:
- Pin every action to a full commit SHA. Tags are mutable. SHAs are not. Use pinact or Renovate to automate this at scale.
- Add a 7-14 day delay before adopting new action versions. Most supply chain attacks have detection windows under one week. A version delay catches 80-90% of them.
pinact --min-age 7enforces this automatically. - Switch to OIDC for cloud access. Long-lived static secrets in CI are a liability. OIDC tokens are short-lived and scoped. This eliminates an entire class of credential theft.
- Set
permissions: read-onlyas the default GITHUB_TOKEN scope. Elevate permissions per job only where required. - Run OpenSSF Scorecards. It surfaces your current supply chain risk score and flags specific workflow issues with remediation guidance.
The Bigger Picture
GitHub is late to this. The tj-actions attack in March 2025 compromised 23,000 repositories. The Trivy hijack in March 2026 hit 10,000+ workflows. TanStack followed six weeks later. A pattern that clear should have triggered infrastructure-level responses sooner. But here we are, and the roadmap is the right response — dependency locking, an immutable egress firewall, and scoped secrets are exactly what the platform should have built after the first major incident.
CI/CD pipelines are production infrastructure. GitHub is finally treating them that way. Check the official roadmap post for the full feature breakdown, and audit your workflows today — the next attack won’t wait for public preview.
