Why are Github actions trusted without commit hashes tags?

[huornlmj]

As the title, why are Github actions trusted without commit hashes tags? As in...

- uses: actions/checkout@v4

Won't flag as missing a hash commit because of the @v4 here. Are Github's own actions impervious to attack?

[woodruffw]

There are two reasons for this:

1. zizmor attempts to walk a fine line in terms of alert volume: too many alerts (even conceptually sound ones) result in alert fatigue and people disabling/ignoring the findings entirely. From this actions/* is considered "ref-pinnable" because the average GHA setup uses the official actions everywhere, and flooding people with advisories about it would fatigue them.
2. GitHub is in fact somewhat impervious to attack: most of the actions/* and other official actions are secretly immutable under the hood, via Immutable Actions. I believe that feature isn't generally available yet, but if/when it becomes generally available then other org namespaces will similarly be immutable despite appearing to use a git tag. Feature: Figure out how to detect immutable actions #766 has some more context, since zizmor will eventually need to detect and handle these.

TL;DR: the original reason was alert fatigue, but the secondary (and arguably more important) reason is that GitHub's actions/* and other official namespaces actually are secretly immutable under the hood. So, flagging them by default wouldn't result in a security posture change per se 🙂