[PSA] New GitHub Actions Security Policy - Action Required by April 15, 2026

[Priyanka Saggu]

Hello everyone,

The Kubernetes project has adopted a new GitHub Actions Security Policy [1] to strengthen our supply chain security across all repositories under Kubernetes GitHub organizations.
This policy is created in response to recent security incidents, including the Trivy GitHub Actions vulnerability [2].

As per the new policy, all projects under Kubernetes GitHub organizations using GitHub Actions must reference actions in workflow files using full-length commit SHA hashes instead of mutable references such as `latest`, tags, branches (like `master`, `main`).

This prevents potential supply chain attacks where compromised actions could inject malicious code through force-updated references.

Immediate Action Required:

Project maintainers are requested to update their GitHub Actions workflows to comply with this policy by April 15, 2026. 
After this date, the Kubernetes project will enforce the "Require actions to be pinned to a full-length commit SHA" policy at the enterprise level, and any github action workflows using mutable references will fail to run.

Key Requirements:
- Pin all actions to 40-character commit SHA hashes (e.g., `uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1`)
- New workflows must comply before merge
- We recommend enabling Dependabot for GitHub Actions to automatically keep SHA-pinned actions up to date

If you have questions, please reach out on the #github-management [3] slack channel.

Regards,

Kubernetes GitHub Admin Team

[1] Policy document - https://github.com/kubernetes/community/blob/main/github-management/github-actions-policy.md

[2] https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23

[3] #github-management - https://kubernetes.slack.com/archives/C01672LSZL0

[Priyanka Saggu]

Hello Everyone,

The  GitHub Actions Security Policy [1] is now enforced at the Kubernetes Enterprise Level.

As a result, any GitHub Actions workflows under Kubernetes GitHub orgs that use mutable references such as `latest`, tags, or branches (like `master`, `main`), will now fail to run.

If your workflows are affected, please update them to pin all actions to 40-character commit SHA hashes (e.g., uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1).

For full details, please refer to the policy documentation[1].

If you have questions, please reach out on the #github-management [2] Slack channel.

Regards,

Kubernetes GitHub Admin Team

[1] Policy document - https://github.com/kubernetes/community/blob/main/github-management/github-actions-policy.md

[2] #github-management - https://kubernetes.slack.com/archives/C01672LSZL0

[Carlos Tadeu Panato Jr]

Cool. Thanks

--
You received this message because you are subscribed to the Google Groups "dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev+uns...@kubernetes.io.
To view this discussion visit https://groups.google.com/a/kubernetes.io/d/msgid/dev/3d22b9fc-ee25-40bf-98c0-0fbe06d48484n%40kubernetes.io.