Loading…
Loading…
| # | Action | Tier | Mutations |
|---|
Rate budget remaining:
Every detected change to a tag's SHA — a force-push to a published release ref. Critical = LTS major (e.g. v4) on a top-200 action.
| When | Action | Tag | From | To | Severity | Compare |
|---|
Latest observed tag + SHA for every tracked action. Use the copy button to paste a ready-to-use pin into your workflow.
| Action | Stars | Tier | Tag | SHA | Mut (30d) | GHSAs | Pin |
|---|
Paste a GitHub Actions workflow file. We rewrite every uses: owner/repo@floating-tag into an immutable @<sha> # tag pin.
Recent GitHub Security Advisories that affect tracked action repos.
| GHSA | Action | Severity | CVE | Published | Summary |
|---|
View on GitHub → · Stars: · Tier:
| When | Tag | From → To | Severity |
|---|
| Tag | SHA | Observed |
|---|
| GHSA | Severity | Published | Summary |
|---|
tag-drift is a public, no-account dashboard that watches the SHA pinned by every release tag of the most-used GitHub Actions. When a tag's SHA changes — that is, a force-push has rewritten history — we log it. Floating refs like actions/checkout@v4 are convenient but mutable. A single force-push by a compromised maintainer (or by an attacker with leaked credentials) silently changes what every workflow pinned to that ref executes on its next run.
This is exactly how the LiteLLM / Trivy compromise of March 2026 worked, and the same family of weaknesses underpins the TanStack (May 11), node-ipc (May 14) and Mini Shai-Hulud (May 19) npm incidents — workflows pinned by tag executed malicious action versions and leaked publish tokens.
v1, v2, 4) on a top-200 action. High blast radius: thousands of workflows track these.v4.2, v4.2.1). Many teams still pin to these./repos/{o}/{r}/tags, /releases, /security-advisories, /advisories, /search/repositoriesGET /tag-drift/api/stats · GET /tag-drift/api/actions · GET /tag-drift/api/actions/:owner/:repoGET /tag-drift/api/mutations · GET /tag-drift/api/advisories · GET /tag-drift/api/fetch-logPOST /tag-drift/api/pin body {yaml:"…"} — rewrite to SHA pinsGET /tag-drift/api/recommend/:owner/:repo · GET /tag-drift/api/export.json|csv