Cheat Sheet logoCheat Sheet Today
CI/CD Pipelines: Security, Secrets, and Governance/Pin actions to a version or commit

Avoid floating references for critical workflow dependencies.

Back to sheetBrowse commands
Sign in to save
Section: Reduce pipeline risk

Pin actions to a version or commit

yaml
yaml
- uses: actions/checkout@v4
Explanation

Pinning reduces surprise breakage. For higher assurance, pin to a full commit SHA after validation.

View in sheet →

Learn the surrounding workflow

Compare similar commands or jump into common fixes when this command is part of a bigger troubleshooting path.

Compare commandsView fixes

Related commands

Same sheet · prioritizing Reduce pipeline risk
Be careful with untrusted pull requests
Avoid exposing secrets to code from forks.
OpenIn sheetyamlsame section
Require approval for production release
Add environment rules or manual gates before prod deploys.
OpenIn sheettextsame section
Use least-privilege permissions in GitHub Actions
Explicitly scope the token for each workflow or job.
OpenIn sheetyaml
Use OIDC instead of long-lived cloud keys
Exchange a short-lived identity token for cloud credentials.
OpenIn sheetyaml
Protect production variables in GitLab
Restrict sensitive variables to protected branches or tags.
OpenIn sheetyaml