Dispatch
GitHub Actions 2026 Security Roadmap: Deterministic Dependencies and Workflow Policy Controls
GitHub published its Actions 2026 security roadmap responding to recent supply chain attacks targeting CI/CD automation (tj-actions/changed-files, Nx, trivy-action). Key features include a new dependencies: section in workflow YAML that locks all direct and transitive dependencies by commit SHA (similar to go.mod+go.sum), and workflow execution protections built on GitHub's ruleset framework for organization-wide central policy control. Goal is secure-by-default CI/CD without requiring teams to rebuild pipelines.
Source
↳ Follow the thread