[PSA] New GitHub Actions Security Policy - Action Required by April 15, 2026

Priyanka Saggu

unread,

Mar 26, 2026, 4:15:05 PM Mar 26

to dev

Hello everyone,

The Kubernetes project has adopted a new GitHub Actions Security Policy [1] to strengthen our supply chain security across all repositories under Kubernetes GitHub organizations.
This policy is created in response to recent security incidents, including the Trivy GitHub Actions vulnerability [2].

As per the new policy, all projects under Kubernetes GitHub organizations using GitHub Actions must reference actions in workflow files using full-length commit SHA hashes instead of mutable references such as `latest`, tags, branches (like `master`, `main`).

This prevents potential supply chain attacks where compromised actions could inject malicious code through force-updated references.

Immediate Action Required:

Project maintainers are requested to update their GitHub Actions workflows to comply with this policy by April 15, 2026 .
After this date, the Kubernetes project will enforce the " Require actions to be pinned to a full-length commit SHA " policy at the enterprise level, and any github action workflows using mutable references will fail to run.

Key Requirements:
- Pin all actions to 40-character commit SHA hashes (e.g., `uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1`)
- New workflows must comply before merge
- We recommend enabling Dependabot for GitHub Actions to automatically keep SHA-pinned actions up to date

If you have questions, please reach out on the #github-management [3] slack channel.

Regards,

Kubernetes GitHub Admin Team

[1] Policy document - https://github.com/kubernetes/community/blob/main/github-management/github-actions-policy.md

[2] https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23

[3] #github-management - https://kubernetes.slack.com/archives/C01672LSZL0

Priyanka Saggu

unread,

Apr 16, 2026, 1:14:40 AM (yesterday) Apr 16

to dev, Priyanka Saggu

Hello Everyone,

The GitHub Actions Security Policy [1] is now enforced at the Kubernetes Enterprise Level.

As a result, any GitHub Actions workflows under Kubernetes GitHub orgs that use mutable references such as ` latest` , tags, or branches (like ` master` , ` main` ), will now fail to run.

If your workflows are affected, please update them to pin all actions to 40-character commit SHA hashes (e.g., uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 ).

For full details, please refer to the policy documentation [1].

If you have questions, please reach out on the #github-management [2] Slack channel.

Regards,

Kubernetes GitHub Admin Team

[1] Policy document - https://github.com/kubernetes/community/blob/main/github-management/github-actions-policy.md

[2] #github-management - https://kubernetes.slack.com/archives/C01672LSZL0

Carlos Tadeu Panato Jr

unread,

Apr 16, 2026, 5:34:20 AM (yesterday) Apr 16

to priyankas...@gmail.com, dev, Priyanka Saggu

Cool. Thanks

--
You received this message because you are subscribed to the Google Groups "dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev+uns...@kubernetes.io .
To view this discussion visit https://groups.google.com/a/kubernetes.io/d/msgid/dev/3d22b9fc-ee25-40bf-98c0-0fbe06d48484n%40kubernetes.io .

Reply all

Reply to author

Forward