Securing your supply‑chain with Immutable Releases

[marcransome]

🎯 What changed

We’ve updated our GitHub Actions to ship with immutable releases, a change that strengthens supply‑chain security and improves reproducibility by enforcing stable, verifiable releases.

Note

Short version tags such as v1 and v1.0 are not affected by this change and will continue to function as before. These tags are mutable and we therefore no longer recommend using them in your workflows. These tags may be deprecated in future releases.

💡 Why this matters

• Stronger supply‑chain security — Immutable releases prevent attackers from manipulating Git tags and introducing code changes without your knowledge, ensuring every workflow executes the exact code you intended.
• Guaranteed reproducibility — Each immutable release is permanently tied to a specific commit, eliminating the risk of upstream tag drift and ensuring consistent, predictable CI/CD behaviour over time.
• Transparent, auditable history — Every release includes a cryptographically verifiable attestation containing the tag, commit SHA, and release assets, making it easy to trace and validate what’s running in your workflows.
• A more trustworthy CI/CD baseline — By removing mutable tags and enforcing fixed, verifiable versions, your workflows inherit a more secure, stable foundation for long‑term maintenance.

🔨 What this means for your workflows

If you’re already using our actions, we recommend updating to an immutable release to take advantage of the improved security and reproducibility. Moving to a pinned, immutable version ensures your workflows always run against a fixed, trusted release rather than a mutable tag that could change unexpectedly.

Tip

You can easily identify immutable releases — they’re marked with an “Immutable” label directly beneath the release title. Check the release pages for any actions you use to find the latest immutable versions.

🥳 Thanks for building with us and helping keep the ecosystem secure.