The Pipeline Is the Perimeter — and GitHub Just Admitted It

7 min readByGurvinder Singh

CVE-2025-30066 compromised 23,000 repositories by rewriting a single GitHub Action's version tag. GitHub's 2026 roadmap treats this as a turning point — not a one-off.

Executive Summary The tj-actions/changed-files supply chain attack (CVE-2025-30066, March 2025) extracted CI/CD secrets from 23,000+ repositories by exploiting tag-pinned GitHub Actions — the default pinning method most teams still use. GitHub's 2026 Actions security roadmap responds with dependency locking, immutable releases, and policy-driven execution controls. Combined with the Shai-Hulud 2.0 worm campaign that weaponized GitHub Actions as self-hosted runner backdoors, these incidents confirm that the CI/CD pipeline is the new perimeter. Organizations that still pin actions by tag, store static deploy tokens, or skip permission blocks in workflows are operating with 2019-era assumptions against 2026-era threats.

What CVE-2025-30066 Actually Proved

Between March 12–15, 2025, attackers compromised the GitHub Personal Access Token (PAT) used by the tj-actions bot account. They retroactively rewrote version tags across the tj-actions/changed-files repository — pointing existing tags like @v4 to a malicious commit that extracted CI/CD secrets from runner process memory and printed them to workflow logs.

The attack worked because tag-based pinning (uses: actions/checkout@v4) trusts a mutable pointer. A tag is a name. A name can be moved. A commit SHA cannot.

CISA issued an advisory on March 18, 2025. Wiz Research documented the full attack chain, including exposed GitHub PATs, npm tokens, AWS access keys, and private RSA keys across all affected repositories.

The fix was not a patch. The fix was a practice: pin every action to a full 40-character commit SHA. actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 is v4.2.2 — and it cannot be moved.

Shai-Hulud 2.0: The Worm That Ate the Pipeline

If CVE-2025-30066 was a targeted theft, Shai-Hulud 2.0 was an ecosystem infection.

First documented by Unit 42 and Wiz Research in November 2025, the Shai-Hulud campaign combined npm supply chain poisoning with GitHub Actions exploitation. The attack registered compromised hosts as self-hosted runners, harvested maintainers' publishing credentials, and used those credentials to propagate — automatically publishing malicious packages under legitimate maintainer accounts.

The campaign affected 25,000+ repositories across approximately 350 unique GitHub users, including organizations like AsyncAPI, PostHog, and Postman. Microsoft's Security Response Center published detection guidance in December 2025. The destructive variant deleted victim home directories when exfiltration failed.

The critical insight: GitHub Actions runners are compute environments with credential access. A compromised action does not just read your code. It inherits your deploy tokens, your API keys, and your publishing rights. Every secret available to the runner is available to the attacker.

GitHub's 2026 Roadmap: The Admission

GitHub's 2026 Actions security roadmap reads like a post-incident remediation plan because that is what it is.

Dependency locking introduces a dependencies section in workflow YAML — analogous to Go's go.sum — that locks all direct and transitive action dependencies to commit SHAs. SHA pinning support shipped as a policy option in August 2025; the 2026 roadmap makes it enforceable at the organization level.

Immutable releases prevent version tags from being rewritten after publication. Release assets and tags become permanent. This directly addresses the CVE-2025-30066 attack vector — if tj-actions/changed-files had used immutable releases, the tag rewrite would have failed.

Policy-driven execution consolidates fragmented security controls into a single governance surface. Organizations can define which actions are permitted, require attestation before execution, and enforce approval gates on sensitive workflow triggers.

Endpoint monitoring adds enterprise-grade visibility via the Actions Data Stream and a native egress firewall. The egress firewall is the quiet game-changer — it restricts which external endpoints a workflow runner can reach, limiting the exfiltration channels available to a compromised action.

OIDC Federation: Killing the Static Token

The most impactful change is not in the roadmap document. It has been available since 2023, and most teams still are not using it.

OpenID Connect (OIDC) federation allows GitHub Actions to authenticate to cloud providers — AWS, Azure, Google Cloud Platform (GCP) — without storing static credentials as repository secrets. The workflow requests a short-lived OIDC token from GitHub's identity provider, presents it to the target cloud provider, and receives a temporary access credential scoped to that specific workflow run.

No AWS_ACCESS_KEY_ID in repository secrets. No VERCEL_TOKEN with 12-month expiry sitting in seven repos. No secret rotation calendar that everyone forgets.

For Vercel deployments specifically, OIDC federation replaces the pattern of storing a long-lived VERCEL_TOKEN in every repository. The workflow authenticates to Vercel's API using a token that exists for the duration of the deployment and expires automatically.

AWS IAM recommends evaluating the token.actions.githubusercontent.com:sub condition key in trust policies — this restricts which repositories and branches can assume the deployment role. A compromised fork cannot assume production credentials.

What We Did: SHA-Pinning Seven Repos in One Session

The audit across the GeeksikhSecurity organization found the same pattern in every repository: tag-pinned actions, missing permission blocks, and third-party actions with no supply chain verification.

Across seven Vercel-deployed projects — SecurityLeader.ai, SinghsKaurs.com, SayvaInc.com, Jasgur.com, WhatsonMyBill.com, DecisionBarista.com, and SecGraph.ai — we deployed a hardened workflow that enforces four principles:

SHA-pinned actions only. actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 (v4.2.2). The workflow itself verifies that no unpinned actions exist in the repository and fails the build if it finds one.

Least-privilege permissions. Every job declares explicit permissions: contents: read and security-events: write. No job inherits the default write-all that GitHub grants to workflows in private repositories.

Zero third-party actions. The entire workflow uses only GitHub-maintained actions. No amondnet/vercel-action, no treosh/lighthouse-ci-action, no trust decisions delegated to maintainers we have never audited.

Automated supply chain audit. The workflow scans for eight secret patterns (AWS keys, GitHub PATs, OpenAI keys, Slack tokens, Stripe keys, SendGrid keys), verifies npm package integrity hashes, and checks for overly permissive workflow permissions — on every push and PR to main.

A weekly deployment health check verifies security headers and robots.txt AI bot blocking on the live domain. The CI pipeline watches the code. The health check watches the deployment.

Your Next Move

This week: Audit every GitHub Actions workflow in your organization. Run grep -rn 'uses:' .github/workflows/ | grep -v '@[a-f0-9]\{40\}' to find unpinned actions. Every result is a CVE-2025-30066 attack surface. Replace tag pins with SHA pins using the GitHub Actions SHA Pinning guide.

This month: Implement OIDC federation for every cloud provider your pipelines authenticate to. Start with your highest-privilege deployments. AWS, Azure, and GCP all support GitHub Actions OIDC natively. Eliminate every static credential that OIDC can replace.

This quarter: Enable GitHub's organization-level Actions policies. Restrict which actions can run. Require SHA pinning via policy. Review your CODEOWNERS file to ensure workflow changes require security team approval.

Board Talking Points

  • Our CI/CD pipelines authenticate to cloud infrastructure using credentials stored in GitHub. CVE-2025-30066 demonstrated that a single compromised GitHub Action can extract those credentials from 23,000 repositories simultaneously. We have eliminated tag-based action pinning across all production repositories.
  • GitHub's 2026 roadmap introduces dependency locking and immutable releases — features designed to prevent the specific attack vector that CVE-2025-30066 exploited. We are positioned to adopt these controls on day one because our workflows already enforce SHA pinning.
  • OIDC federation eliminates static deploy credentials entirely. Short-lived, scope-limited tokens replace long-lived secrets, reducing our exposure window from months to minutes.

Gurvinder Singh, CISSP, CISA, GWAPT is the founder of SecurityLeader.ai and Information Security Manager at the American Psychological Association. He writes about supply chain security, AI security governance, and building security programs that practitioners can actually use.

Previously: Master Keys & Shadow Trust: The $1B OAuth Supply-Chain Heist | MCP Sentinel Scanner: Automated Security for AI Tool Pipelines

Tags

Supply Chain SecurityGitHub ActionsCI/CD SecurityOIDCDevSecOps