A recent technical report by dhawos.dev warns that the convenience of using third-party marketplace actions in GitHub Actions is creating significant security vulnerabilities in CI/CD pipelines.
The analysis suggests that the growing reliance on pre-built actions often leads to a lack of environment consistency between developer machines and continuous integration systems. This discrepancy can hinder the delivery of high-quality services and slow down development paces.
According to dhawos.dev, the rise of GitHub Actions is a symptom of deeper structural issues in DevOps. The author notes that while the promise of minimizing CI maintenance via the marketplace is enticing, the practice can lead to critical security failures.
Specifically, the report points to the risk of compromised actions stealing sensitive credentials. The author cites recent real-world incidents, including the Trivy security scanner hack and the 2025 compromise of the tj-actions/changed-files action, as evidence of this danger.
"All it takes is one compromised action to have those secrets stolen," dhawos.dev reports. The author adds that the time saved by not writing custom actions is often lost managing the consequences of such an attack.
Beyond security, the report identifies a loss of testing capability. Using third-party actions makes it difficult to test pipeline changes locally, which can delay critical hotfixes when a failure occurs in the CI/CD environment.
Achieving Reproducible Environments
To mitigate these risks, the report advocates for implementing best practices that prioritize security and reproducibility. The author suggests using tools like Nix or Docker to ensure that execution environments remain identical across Linux and macOS.
One primary recommendation is to "pin" actions to specific commits rather than relying on mutable tags like v9. This prevents attackers from pointing a version tag to a malicious version of an action.
By controlling the exact version of tools like golangci-lint, developers can avoid discrepancies between local and CI results. The report concludes that while the benefits of GitHub Actions are significant, developers must move away from unverified automation to protect their software supply chains.