GitHub published a detailed 2026 Actions security roadmap in early 2026 that is worth reading as a practitioner, not just as a press release. The items are structurally significant - they address root causes rather than adding more scanning layers on top of existing problems.
Three structural layers define the roadmap.
Ecosystem Layer: Ending Mutable Tags
The most impactful change is workflow dependency locking - a dependencies: section in workflow YAML that pins all action SHAs, including transitive dependencies (actions that call other actions).
# Current state - you pin the direct dependency
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8
# Post-locking - transitive deps are also pinned
dependencies:
lock-file: .github/workflow-lock.jsonThe lock file would be analogous to package-lock.json or go.sum - a machine-generated record of every action SHA used in the workflow graph, committed to the repository and verified at runtime. If a maintainer silently moves a tag to a different commit, the lock file fails verification and the workflow errors before executing.
Targeting public preview in mid-2026, GA at six months. This is the automated version of what SHA pinning does manually, extended to the full dependency graph.
Alongside this, GitHub is moving towards immutable releases for Marketplace actions. Under the current model, a Marketplace release is a pointer to a Git tag - which can be rewritten. Under immutable releases, a published version becomes a content-addressed object. The tag can still be moved, but the Marketplace entry refers to the immutable SHA. This closes the tj-actions attack vector at the platform level rather than requiring each consumer to pin.
Attack Surface Layer: Scoped Credentials and Ruleset Policies
Removing secrets: inherit from reusable workflows is the change with the most immediate blast-radius implications. Currently, a calling workflow can pass all its secrets to a reusable workflow with a single directive:
jobs:
call-workflow:
uses: ./.github/workflows/shared.yml
secrets: inherit # passes everythingThe 2026 roadmap makes explicit secret declaration the only option for reusable workflows, forcing callers to enumerate what they are passing:
jobs:
call-workflow:
uses: ./.github/workflows/shared.yml
secrets:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
# AWS_SECRET_KEY is not passed - shared workflow cannot access itThis makes the blast radius of any credential compromise visible in the YAML at review time. If a reusable workflow is compromised, the attacker can only access secrets that were explicitly passed to it.
Ruleset-based workflow policies are already partially in place following the August 2025 changelog that added SHA pinning enforcement. The 2026 expansion extends rulesets to cover: required permissions declarations, prohibited patterns (no secrets: inherit, no actions: read on workflows that write to production), and mandatory attestation steps for deployments to protected environments.
These policies are enforceable at the organisation level - a single configuration applies to all repositories rather than requiring each team to implement their own checks.
Infrastructure Layer: Network Egress and Runtime Observability
The most ambitious part of the roadmap is enforceable network egress boundaries for GitHub-hosted runners. Currently, a GitHub Actions runner has unrestricted outbound internet access. A compromised action can exfiltrate secrets to any IP address - as happened in the tj-actions incident, where stolen credentials were sent to 104.21.14.120.
The proposed model allows organisations to define an allowlist of permitted egress destinations for runners in specific environments. Connections to addresses outside the allowlist are blocked at the network layer rather than relying on runtime monitoring to detect them after the fact.
This is architecturally significant: it changes the attacker’s constraint from “can I steal credentials?” to “can I exfiltrate them anywhere useful given a restricted egress policy?” For most supply chain attacks, the answer becomes no.
Real-time observability complements the network controls. The 2026 roadmap includes per-job network activity logs and file system access summaries surfaced in the GitHub UI, not just available via third-party agents like Harden-Runner. This makes anomaly detection accessible without additional tooling purchases.
What to Prepare for Now
The roadmap has two categories of impact: things that will require workflow changes when they ship, and things that will enable new capabilities.
Prepare for breaking changes:
- Audit all reusable workflow calls using
secrets: inherit. When the explicit-only requirement ships, these will need to enumerate their secrets. Do the audit now before the deadline. - Identify any workflows that depend on unrestricted egress for legitimate reasons (package registries, external APIs). These will need to be on the allowlist when egress controls ship.
Enable new capabilities early:
- Adopt
attest-build-provenancenow. When the Storage and Deployment Record APIs are fully populated, you will want existing provenance data to query against. - Enable SHA pinning enforcement at the organisation level today. The August 2025 policy support already allows this. Waiting for workflow dependency locking means living with mutable dependencies for another six months.
The 2026 roadmap is the first time GitHub has addressed the structural problems with Actions security - mutable dependencies, over-broad credential scope, unrestricted egress - rather than adding scanning layers on top of them. The shift from detective to preventive controls is the right direction.