Skip to content

GitHub Actions Version Auditor — Check for Outdated & Unpinned Actions

Paste your .github/workflows/*.yml file. Each uses: action is checked against its latest GitHub release — so you can see what’s outdated, still on an old major version, or pinned to a mutable tag instead of a SHA.

Paste your GitHub Actions workflow YAML. Each uses: action is checked against its latest GitHub release — so you can see what’s outdated or unpinned.

Examples:

Why this matters

  • Outdated actions = security exposure. actions/checkout@v2 is missing security patches in v3/v4.
  • Tag pinning is mutable. A publisher can change what @v4 points to. SHA pinning (40-char hash) is immutable.
  • Unverified publishers. Any GitHub user can publish an action. Unknown publishers in your workflow are a supply chain risk.
  • One workflow can fail your whole pipeline. Deprecated action inputs or removed actions cause silent CI failures.

What to do with the results

  • Major version behind: Upgrade immediately. Check the action’s CHANGELOG for breaking changes.
  • Minor version behind: Upgrade when convenient. Usually backwards-compatible.
  • Unverified publisher: Review the action’s source code before trusting it in your pipeline.
  • Not SHA-pinned: For production workflows, consider pinning to a SHA: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

Founded

2023 in London, UK

Contact

hello@releaserun.com

</> Embed GitHub Actions Version Auditor — Check for Outdated & Unpinned Actions

Copy this iframe snippet to embed this tool on your website. The tool runs client-side and includes a "Powered by ReleaseRun" attribution.

Preview: Open embed view