By ByteBot
GitHub published its 2026 Actions security roadmap this week, and it’s a direct response to the tj-actions supply chain attack that exposed CI/CD secrets across 23,000 repositories last year. The centerpiece is dependency locking — think go.mod, but for your workflow files. Every action, including transitive dependencies buried inside composite actions, gets pinned to a commit SHA. Hash mismatches stop the job before it runs.
The Mutable Reference Problem
Writing uses: actions/checkout@v4 means you’re trusting whatever commit the v4 tag points to — today, tomorrow, and after a compromise. The tj-actions attack (CVE-2025-30066) exploited this exactly: attackers gained access to the repository, modified version tags to point to a malicious commit, and a Python script then extracted secrets from Runner Worker memory and printed them in public workflow logs. Twenty-three thousand repositories were exposed before anyone noticed.
Standard SHA pinning addresses the top-level action. It does nothing for composite actions that reference other actions internally. Those transitive dependencies are invisible in your workflow file and still resolved at runtime from mutable references. The lockfile approach flattens the entire dependency tree and locks every node.
Dependency Locking: The Main Event
GitHub’s solution is a dependencies: section in workflow YAML that works like go.mod + go.sum. The lockfile records all direct and transitive dependencies with 40-character commit SHAs and SHA-256 integrity hashes. A hash mismatch halts execution before the first job runs.
# Before (mutable — every run resolves tags at runtime)
uses: actions/checkout@v4
# After (locked — deterministic, hash-verified)
dependencies:
actions/checkout@v4:
commit: abc123def456...
integrity: sha256:9f86d08...If you don’t want to wait for public preview (expected Q3 2026), a community tool — gh-actions-lockfile by Garen Torikian — generates compatible lockfiles today. Public preview is slated for approximately three to six months from the March 2026 roadmap announcement.
Native Egress Firewall: Block the Exfiltration Path
Even with locked dependencies, a sophisticated attacker could exploit a vulnerability inside a pinned action. The native egress firewall closes the next door. It operates at Layer 7, outside the runner VM, so it’s immutable even if an attacker gains root access inside the runner. An attacker who can’t phone home can’t exfiltrate your secrets.
GitHub is rolling out two modes: Monitor (log all outbound traffic so you can build an informed allowlist before enforcement) and Enforce (block everything not on the list). Every connection is correlated to the specific workflow run, job, step, and command that initiated it. Public preview is expected Q3–Q4 2026.
OIDC Custom Property Claims: Already Shipped
This one you can use right now. As of April 2026, repository custom properties appear as claims in OIDC tokens. Tag a repository with team=backend and env=production in your organization settings, and those values automatically appear in the repo’s OIDC tokens as repo_property_team and repo_property_env.
The practical payoff is replacing hard-coded allow lists in AWS, Azure, and GCP IAM trust policies with attribute-based access control. Instead of listing specific repository names in a trust policy, you write ABAC rules keyed on repository attributes. The policies update automatically as you add repositories — no per-workflow YAML changes required. See the GitHub Changelog entry for setup steps.
Scoped Secrets: Coming Soon
Right now, a single compromised step can access every secret visible to the workflow. The scoped secrets feature will bind credentials to specific execution contexts — a branch, an environment, a workflow path, or a trusted reusable workflow. If one step is exfiltrated, the blast radius is bounded by what that step was actually authorized to access.
There’s also a permissions change landing alongside it: write access to a repository will no longer grant secret management permissions. A dedicated custom role will control who can create, read, and rotate secrets. Timeline is still TBD, but it’s on the published roadmap.
What To Do Today
Three things you can act on before any of these features hit general availability:
- Pin top-level actions to commit SHAs — not a complete fix, but it closes the obvious attack surface while lockfile support rolls out
- Tag repositories with custom properties —
team,env,tier— and update your cloud ABAC policies to use them (OIDC custom claims are already GA) - Audit secret access — identify which workflows touch production credentials and split them into narrower workflows with tighter permissions
GitHub is finally treating CI/CD infrastructure as what it is: a high-value attack surface that needs platform-level controls, not workflow-by-workflow patches. The fact that StepSecurity has been selling these exact capabilities commercially for years tells you how long this gap has been exploitable. The floor is rising — and it’s about time.
