GitHub Actions Version Auditor

Paste your GitHub Actions workflow YAML. Instantly see which actions are outdated, deprecated, or using unsafe branch refs — with upgrade recommendations and a security score.

Paste any GitHub Actions workflow YAML

How It Works

1

Paste Your Workflow

Paste any GitHub Actions workflow YAML — CI pipelines, release workflows, deployment configs, and more.

2

Instant Analysis

Every uses: reference is parsed and checked against a database of 25+ popular actions for version currency and pinning safety.

3

Get Recommendations

See your security score, outdated actions, and clear upgrade paths. Copy results as Markdown for your PR or issue.

Action Version Reference

View all 25+ tracked actions and their latest versions
Action Latest Major Latest Minor Deprecated Versions

GitHub Actions Pinning Best Practices

SHA Pinning (Best)

Pin to a full commit SHA for immutable, tamper-proof references. Tags can be force-pushed — SHAs cannot.

uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29

Major Version Tag (Good)

Pin to a major version tag for automatic minor/patch updates. Good balance of security and maintenance.

uses: actions/checkout@v4

Full Version Tag (OK)

Pinning to an exact version is safe but requires manual updates for every patch. Can fall behind quickly.

uses: actions/checkout@v4.2.2

Branch Ref (Risky)

Never use @main or @master. These change constantly and can introduce breaking changes or compromised code.

uses: actions/checkout@main

FAQ

Is my workflow sent anywhere?

No. Everything is parsed and checked entirely in your browser using JavaScript. Your workflow YAML never leaves your device. The only network request is loading the js-yaml library from a CDN.

How current is the version database?

Updated February 2026. The database covers 25+ of the most popular GitHub Actions from actions/*, docker/*, and other major publishers. We track latest major versions, minor versions, and deprecated version ranges.

What about custom or org-private actions?

Custom and organization-private actions appear as “unknown” in the results. We only track popular public marketplace actions. Unknown actions don't affect your security score.

Why is SHA pinning recommended?

Git tags (like v4) can be force-pushed to point at a different commit — meaning a compromised action author could replace the code behind a tag. SHA references are immutable: once you pin to a commit hash, that exact code runs every time. This is the GitHub-recommended best practice for supply-chain security.

Keep your CI/CD supply chain secure

Track GitHub Actions releases, security advisories, and version updates — delivered straight to your inbox when new versions land.

Explore Release Index → Build Your Badges
🔔 Get free alerts when your tech stack hits EOL or gets a CVE Set Up Alerts

</> Embed GitHub Actions Auditor

Copy this iframe snippet to embed this tool on your website. The tool runs client-side and includes a "Powered by ReleaseRun" attribution.

Preview: Open embed view