Feature Request: Tag Immutability Verification and Auditing

[karlpokus]

Select Topic Area

General

Body

Summary:
Introduce a GitHub-managed database of tag-to-commit mappings to enhance security and transparency in GitHub Actions workflows. This feature would help users identify when tags have been moved and ensure workflows remain reliable.

Proposed Features:

Tag-to-Commit Database:

Maintain a database of the initial commit SHA associated with every tag in public repositories.
Track changes to tags and log when they are moved to a different commit.

Warnings for Tag Changes:

Display warnings in workflow logs or security reports if a referenced tag has been moved since its creation.
Optionally, allow repository or organization administrators to block workflows that use altered tags.
Public API for Verification:

Provide an API to allow users to programmatically verify the immutability of tags in workflows or CI/CD pipelines.

Benefits:

• Improves security by alerting users to potential risks from mutable tags.
• Enhances transparency and trust in workflows by tracking tag changes.
• Provides flexibility for users to enforce or audit tag immutability based on their needs.

To mitigate https://arstechnica.com/information-technology/2025/03/supply-chain-attack-exposing-credentials-affects-23k-users-of-tj-actions/