[PSA] New GitHub Actions Security Policy - Action Required by April 15, 2026

[Priyanka Saggu]

Hello everyone,

The Kubernetes project has adopted a new GitHub Actions Security Policy [1] to strengthen our supply chain security across all repositories under Kubernetes GitHub organizations.
This policy is created in response to recent security incidents, including the Trivy GitHub Actions vulnerability [2].

As per the new policy, all projects under Kubernetes GitHub organizations using GitHub Actions must reference actions in workflow files using full-length commit SHA hashes instead of mutable references such as `latest`, tags, branches (like `master`, `main`).

This prevents potential supply chain attacks where compromised actions could inject malicious code through force-updated references.

Immediate Action Required:

Project maintainers are requested to update their GitHub Actions workflows to comply with this policy by April 15, 2026. 
After this date, the Kubernetes project will enforce the "Require actions to be pinned to a full-length commit SHA" policy at the enterprise level, and any github action workflows using mutable references will fail to run.

Key Requirements:
- Pin all actions to 40-character commit SHA hashes (e.g., `uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1`)
- New workflows must comply before merge
- We recommend enabling Dependabot for GitHub Actions to automatically keep SHA-pinned actions up to date

If you have questions, please reach out on the #github-management [3] slack channel.

Regards,

Kubernetes GitHub Admin Team

[1] Policy document - https://github.com/kubernetes/community/blob/main/github-management/github-actions-policy.md

[2] https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23

[3] #github-management - https://kubernetes.slack.com/archives/C01672LSZL0