Summary
GitHub Advanced Security (including dynamic analysis and Copilot code review) uses GitHub Actions workflows that reference external actions by mutable labels (e.g. actions/setup-dotnet@v5). When an organization enables the recommended policy “Require actions to be pinned to a full-length commit SHA”, these workflows fail or remain indefinitely queued.
This puts customers in a position where they must weaken their supply-chain security posture in order to run GitHub’s own security tooling, which should not be required.
Details
We have an organization with the following Actions policies enabled:
- Require actions to be pinned to a full-length commit SHA
- Allow select actions and reusable workflows (deny by default)
With this posture:
- GitHub Advanced Security dynamic analysis fails to run because it references actions such as:
- The Copilot code review dynamic workflow now fails for the same reason, due to additional external actions referenced by mutable tags
These workflows are GitHub-managed and not user-editable, so customers cannot remediate the issue by pinning SHAs themselves.
Expected behavior
GitHub Advanced Security and Copilot security workflows should be compatible with GitHub’s own recommended supply‑chain security controls.
At least one of the following should be true:
- GitHub-managed workflows use full commit SHAs, or
- GitHub provides an explicit first‑party exemption mechanism that does not require weakening org policy, or
- GitHub publishes documented, pinned equivalents for first‑party security workflows
Actual behavior
- GHAS workflows fail or remain indefinitely queued
- Customers are forced to choose between:
- Enforcing SHA pinning (recommended best practice), or
- Running GitHub’s security tools
There is currently no supported way to do both without introducing a policy exception.
Impact
- Forces security-conscious customers to weaken their supply-chain controls
- Creates audit and compliance issues (especially for regulated environments)
- Undermines the guidance GitHub itself provides around SHA-pinning
- Affects multiple first‑party security features (dynamic analysis, Copilot code review)
This is not limited to a single action or language ecosystem.
Reproduction (high level)
- Enable GHAS dynamic analysis and/or Copilot code review
- Enable Require actions to be pinned to a full-length commit SHA
- Restrict allowed actions to an allow-list
- Trigger a PR or default branch run
- Observe GHAS-managed workflows failing or stuck in
queued
Additional context
- Customers cannot edit or fork GHAS-managed workflows
- These are first‑party GitHub security tools
- The workaround today is to relax Actions policies, which contradicts GitHub security guidance
Happy to provide additional diagnostics if needed.
Summary
GitHub Advanced Security (including dynamic analysis and Copilot code review) uses GitHub Actions workflows that reference external actions by mutable labels (e.g.
actions/setup-dotnet@v5). When an organization enables the recommended policy “Require actions to be pinned to a full-length commit SHA”, these workflows fail or remain indefinitely queued.This puts customers in a position where they must weaken their supply-chain security posture in order to run GitHub’s own security tooling, which should not be required.
Details
We have an organization with the following Actions policies enabled:
With this posture:
actions/setup-dotnet@v5These workflows are GitHub-managed and not user-editable, so customers cannot remediate the issue by pinning SHAs themselves.
Expected behavior
GitHub Advanced Security and Copilot security workflows should be compatible with GitHub’s own recommended supply‑chain security controls.
At least one of the following should be true:
Actual behavior
There is currently no supported way to do both without introducing a policy exception.
Impact
This is not limited to a single action or language ecosystem.
Reproduction (high level)
queuedAdditional context
Happy to provide additional diagnostics if needed.