GitHub Actions 2026年セキュリティロードマップの展望
GitHubは2026年のセキュリティロードマップとして、ソフトウェアサプライチェーン攻撃に対抗するため、GitHub Actionsの依存関係を固定化するワークフローレベルのロック機能など、セキュアなデフォルト動作を実現する3層のセキュリティ強化策を発表した。
キーポイント
ソフトウェアサプライチェーン攻撃の深刻化
CI/CD自動化自体を標的とした攻撃が増加しており、脆弱性の導入が容易で検出が困難な現状がある。
2026年ロードマップの3層アプローチ
エコシステム(依存関係の固定化)、攻撃対象領域(ポリシーとスコープ付き認証情報)、インフラストラクチャ(リアルタイム可観測性)の3層でGitHub Actionsのセキュリティを強化する。
ワークフローレベル依存関係ロックの導入
ワークフローYAMLにdependenciesセクションを追加し、直接・推移的依存関係をコミットSHAで固定化することで、実行の再現性と監査可能性を確保する。
セキュアなデフォルトへの移行
Actionsの再構築ではなく、セキュアな動作をデフォルトとし、すべてのチームがCI/CDセキュリティの専門家になれるように支援する方針。
ロックファイルのマイルストーン
パブリックプレビューは3-6ヶ月後、一般提供は6ヶ月後を目標としている。将来的には不変リリースによる公開の強化を計画している。
ポリシー駆動実行による攻撃対象領域の縮小
GitHubのルールセットフレームワークに基づくワークフロー実行保護を導入し、ワークフローをトリガーできるユーザーや許可されるイベントを中央ポリシーで制御する。
実行保護と安全な導入
ポリシーを満たさないワークフローの実行をブロックする実行保護を導入し、evaluateモードで影響を評価してから強制適用できるようにする。
影響分析・編集コメントを表示
影響分析
この発表は、ソフトウェア開発の基盤であるCI/CDパイプラインのセキュリティを根本から見直す重要な動きを示している。依存関係の固定化とセキュアデフォルトの実現により、開発者体験を損なわずにセキュリティを向上させ、業界全体のセキュリティ標準を引き上げる可能性がある。
編集コメント
CI/CDセキュリティの根本的な課題に正面から取り組む野心的なロードマップ。実装次第では開発現場のセキュリティプラクティスを大きく変える可能性がある。
最近の攻撃は、無制限の実行環境が影響を増幅させ、シークレットの流出、不正な公開、長期間の潜伏を可能にすることを示しています。CI/CDを保護するには、そのワークロードを、明示的な制御と継続的な可観測性を持つ第一級のセキュリティドメインとして扱う必要があります。
変更点
GitHub Actions向けにエンタープライズグレードのエンドポイント保護を導入します。まずはActions Data Stream(可観測性)とネイティブエグレスファイアウォール(制御)から始めます。
Actions Data Streamによる可観測性の向上
現在のCI/CDの可視性は断片的で、洞察や監視が限られています。自動化がより強力で、よりターゲットを絞ったものになるにつれ、組織はインシデント後に調査するだけでなく、実行中のアクションを継続的に観察する能力を必要としています。
Actions Data Streamは以下を提供します:
ほぼリアルタイムの実行テレメトリ
既存システムへの集中配信
サポート対象の宛先:
Amazon S3
Azure Event Hub / Data Explorer
イベントは少なくとも1回の配信保証付きでバッチ配信され、選択したプラットフォームで確実なインデックス作成と相関付けを可能にする共通スキーマを使用します。
観察できる内容:
リポジトリや組織をまたがるワークフローとジョブの実行詳細
依存関係解決とアクションの使用パターン
(将来)ネットワーク活動とポリシー適用結果
これが重要な理由
集中化されたテレメトリがなければ、異常は気づかれず、検知はインシデント後になり、対応は遅れます。
Actions Data Streamは、CI/CDを他の本番システムと同様に可観測にすることでこの問題を解決します。
マイルストーン:
フェーズ 目標
パブリックプレビュー 3-6ヶ月
一般提供 6-9ヶ月
GitHubホストランナー向けネイティブエグレスファイアウォール
現在の課題
現在、GitHubホストランナーは無制限のアウトバウンドネットワークアクセスを許可しています。これは以下を意味します:
データ流出が容易
依存関係を取得するために使用できるパッケージレジストリに制限がない
予期されるネットワークトラフィックと予期しないネットワークトラフィックの明確な区別がない
変更点
GitHubホストランナー向けにネイティブエグレスファイアウォールを構築し、CI/CDインフラストラクチャを強制力のあるネットワーク境界を持つ重要なインフラストラクチャとして扱います。
このファイアウォールは、ランナーVMの外部でレイヤー7で動作します。攻撃者がランナー環境内でルートアクセスを取得した場合でも不変のままです。組織は以下を含む正確なエグレスポリシーを定義します:
許可されたドメインとIP範囲
許可されたHTTPメソッド
TLSとプロトコル要件
このファイアウォールは2つの補完的な機能を提供します:
監視(Monitor):組織はランナーからのすべてのアウトバウンドネットワークトラフィックを監視でき、すべてのリクエストが自動的に監査され、ワークフロー実行、ジョブ、ステップ、開始コマンドに関連付けられます。この可視性により、チームはワークフローが何に接続しているかを理解し、情報に基づいた許可リストを構築し、制限を適用する前にその影響を評価するために必要なデータを得ることができます。
強制(Enforce):組織は、明示的に許可されていないトラフィックをブロックするエグレスポリシーを強制し、ビルド環境から到達可能なのは承認された宛先のみであることを保証できます。
監視と強制を組み合わせることで、安全な導入パスが生まれます:まずトラフィックパターンを観察し、実際のデータに基づいて正確な許可リストを作成し、自信を持って強制を有効化します。
マイルストーン:
フェーズ 目標
パブリックプレビュー 6-9ヶ月
将来の目標:ランナーを保護されたエンドポイントとして扱う
ランナーは使い捨てのブラックボックスとして扱われるべきではありません。私たちは以下に向けて拡張しています:
プロセスレベルの可視性
ファイルシステム監視
より豊富な実行シグナル
ほぼリアルタイムの強制
これが実際に意味すること
CI/CDは企業やオープンソースの重要なインフラストラクチャの一部となりました。依存関係管理、複雑で暗黙的な信頼境界、シークレット処理、可観測性に関する私たちが見てきた失敗は、ソフトウェアサプライチェーン全体での攻撃の増加につながっています。
2026年GitHub Actionsロードマップはこれに直接応えます。私たちはプラットフォームを、これらの攻撃を阻止することに焦点を当てた、デフォルトで安全で検証可能な自動化に向けて移行しています。
それは以下を意味します:
ワークフローは決定論的でレビュー可能になる
シークレットは明示的にスコープされ、広く継承されない
実行はYAMLだけではなくポリシーによって統治される
ランナーは可観測で制御可能なシステムになる
GitHub Actionsは柔軟性を維持します。私たちのロードマップは、すべてのチームがCI/CDモデルをゼロから再構築する必要なく、Actionsをデフォルトで安全で監査可能な自動化プラットフォームに向けて進化させるように設計されています。
始めるには
GitHubコミュニティでの議論に参加して、ご意見をお聞かせください。
この投稿『What’s coming to our GitHub Actions 2026 security roadmap』は、The GitHub Blogに最初に掲載されました。
原文を表示
Why this matters right now
Software supply chain attacks aren’t slowing down. Over the past year, incidents targeting projects like tj-actions/changed-files, Nx, and trivy-action show a clear pattern: attackers are targeting CI/CD automation itself, not just the software it builds.
The playbook is consistent:
Vulnerabilities allow untrusted code execution
Malicious workflows run without observability or control
Compromised dependencies spread across thousands of repositories
Over-permissioned credentials get exfiltrated via unrestricted network access
Today, too many of these vulnerabilities are easy to introduce and hard to detect. We’re working to address this gap.
What we’re building
Our 2026 roadmap focuses on securing GitHub Actions across three layers:
Ecosystem: deterministic dependencies and more secure publishing
Attack surface: policies, secure defaults, and scoped credentials
Infrastructure: real-time observability and enforceable network boundaries for CI/CD runners
This isn’t a rearchitecture of Actions; it’s a shift toward making secure behavior the default, helping every team to become CI/CD security experts.
Here’s what’s coming next, and when.
- Building a more secure Actions ecosystem
The current challenge
Action dependencies are not deterministic and are resolved at runtime. Workflows can reference a dependency by various mutable references including tags and branches.
That means what runs in CI isn’t always fixed or auditable. Maintainers of Action workflows, for instance, typically manage updates through mutable tags that point to the latest commits of a major or minor release.
Using immutable commit SHAs helps, but it’s hard to manage at scale and transitive dependencies remain opaque.
That mutability has real consequences. When a dependency is compromised, the change can propagate immediately across every workflow that references it.
As recent supply chain incidents have shown, we can’t rely on the security posture of every maintainer and repository in the ecosystem to prevent the introduction of malicious code.
What’s changing: workflow-level dependency locking
We’re introducing a dependencies: section in workflow YAML that locks all direct and transitive dependencies with the commits SHA,
Think of it as Go’s go.mod + go.sum, but for your workflow with complete reproducibility and auditability.

What this changes in practice:
Deterministic runs: Every workflow executes exactly what was reviewed.
Reviewable updates: Dependency changes show up as diffs in pull requests.
Fail-fast verification. Hash mismatches stop execution before jobs run.
Full visibility. Composite actions no longer hide nested dependencies.
In your workflows, this means you will be able to:
Resolve dependencies via GitHub CLI
Commit the generated lock data into your workflow
Update by re-running resolution and reviewing diffs
Our current milestones for lock files are as follows:
Milestones:
PhaseTarget
Public preview3-6 months
General availability6 months
Future: hardened publishing with immutable releases
Beyond consumption, we’ll harden how workflows are published into the Actions ecosystem. On the publishing side, we’re moving away from mutable references and towards immutable releases with stricter release requirements.
Our goal is to:
Make it clearer on how and when code to enters the ecosystem
Create a central enforcement point for detecting and blocking malicious code
- Reducing attack surface with secure defaults
The current challenge
GitHub Actions is flexible by design. Workflows can run:
In response to many events
Triggered by various actors
With varying permissions
But as organizations scale, the relationship between repository access and workflow execution needs more granularity. Different workflows, teams, and enterprises need very different levels of exposure. Moreover, it leads to over-permissioned workflows, unclear trust boundaries, and configurations that are easy to get wrong.
Attacks like Pwn Requests show how subtle differences in event triggers, permissions, and execution contexts can be abused to compromise sensitive environments. Scaling this across thousands of repositories and contributors requires centralized policy.
What’s changing: policy-driven execution
We’re introducing workflow execution protections built on GitHub’s ruleset framework.
Instead of reasoning about security across individual YAML files, you define central policies that control:
Who can trigger workflows
Which events are allowed
This shifts the model from distributed, per-workflow configuration that’s difficult to audit and easy to misconfigure, to centralized policy that makes broad protections and restrictions visible and enforceable in one place.
Our core policy dimensions include:
Actor rules specify who can trigger workflows such as individual users, roles like repository admins, or trusted automation like GitHub Apps, GitHub Copilot, or Dependabot.
Event rules define which GitHub Actions events are permitted like push, pull_request, workflow_dispatch, and others.
For example, an organization could restrict workflow_dispatch execution to maintainers, preventing contributors with write access from manually triggering sensitive deployment or release workflows. Separately, they could prohibit pull_request_target events entirely and only allow pull_request, ensuring workflows triggered by external contributions run without access to repository secrets or write permissions.
These protections scale across repositories without per-workflow configuration. Enterprises apply consistent policies organization-wide using rulesets and repository custom properties, reducing operational risk and governance overhead.
Why this matters for attack prevention:
Many CI/CD attacks depend on:
Confusing event behavior
Unclear permission boundaries
Unexpected execution contexts
Execution protections reduce this attack surface by ensuring that workflows that don’t meet policy never run.
Safe rollout: evaluate mode
To help teams adopt these protections safely, workflow execution rules support evaluate mode. In evaluate mode, rules are not enforced, but every workflow run that would have been blocked is surfaced in policy insights (similar to repository rulesets). This lets organizations assess the impact of new policies before activating enforcement, identifying affected workflows, validating coverage, and building confidence without disrupting existing automation.
Milestones:
PhaseTarget
Public preview3-6 months
General availability6 months
Scoped secrets and improved secret governance
The current challenge
Secrets in GitHub Actions are currently scoped at the repository or organization level. This makes secrets difficult to use safely, particularly with reusable workflows where credentials flow broadly by default. Teams need finer-grained controls to bind credentials to specific execution contexts.
What’s changing: scoped secrets
Scoped secrets introduce fine-grained controls that bind credentials to explicit execution contexts. Secrets can be scoped to:
Specific repositories or organizations
Branches or environments
Workflow identities or paths
Trusted reusable workflows without requiring callers to pass secrets explicitly
What this changes
Secrets are no longer implicitly inherited
Access requires matching an explicit execution context
Modified or unexpected workflows won’t receive credentials
Reusable workflow secret inheritance
Reusable workflows enable powerful composition, but implicit secret inheritance has caused friction within platform teams. When secrets automatically flow from a calling workflow into a reusable workflow, trust boundaries blur, and credentials can be exposed to execution paths that were never explicitly approved.
With scoped secrets:
Secrets are bound directly to trusted workflows
Callers don’t automatically pass credentials
Trust boundaries are explicit
Permission model changes for Action Secrets
We’re separating code contributions from credential management.
That means write access to a repository will no longer grant secret management permissions and helps us move toward least privilege by default.
This capability will instead be available through a dedicated custom role and will remain part of the repository admin, organization admin, and enterprise admin roles.
Together, these changes make it possible to ensure credentials are only issued when both the workflow and the execution context are explicitly trusted.
Milestones:
CapabilityPhaseTarget
Scoped secrets & reusable workflow inheritancePublic preview3-6 months
Scoped secrets & reusable workflow inheritanceGA6 months
Secrets permissionGA3-6 months
Our future goal: building a unified policy-first security model
Longer term, our goal is fewer implicit behaviors, fewer per-workflow configurations, and more centralized, enforceable policy.
We want to give enterprises the ability to define clear trust boundaries for workflow execution, secret access, and event triggers without encoding complex security logic into every workflow file.
This includes expanding policy coverage, introducing richer approval and attestation gates, and consolidating today’s fragmented controls into a single governance surface.
- Endpoint monitoring and control for CI/CD infrastructure
The current challenge
CI/CD infrastructure is critical infrastructure. GitHub Actions runners execute untrusted code, handle sensitive credentials, and interact with external systems and input.
But historically:
Visibility is limited
Controls are minimal
Investigation is reactive
When something goes wrong, organizations often have limited insight into what executed, where data flowed, or how a compromise unfolded.
Recent attacks have shown how unrestricted execution environments amplify impact, enabling secret exfiltration, unauthorized publishing, and long dwell times. Securing CI/CD requires treating its workloads as a first-class security domain with explicit controls and continuous visibility.
What’s changing
We’re introducing enterprise-grade endpoint protections for GitHub Actions, starting with the Actions Data Stream (visibility) and the native egress firewall (control).
Increased visibility with Actions Data Stream
CI/CD visibility today is fragmented with limited insight or monitoring. As automation becomes more powerful, and more targeted, organizations need the ability to observe execution behavior continuously, not just investigate after an incident.
The Actions Data Stream provides:
Near real-time execution telemetry
Centralized delivery to your existing systems
Supported destinations:
Amazon S3
Azure Event Hub / Data Explorer
Events are delivered in batches with at least once delivery guarantees, using a common schema that allows reliable indexing and correlation in your chosen platform.
What you can observe:
Workflow and job execution details across repositories and organizations.
Dependency resolution and action usage patterns
(Future) Network activity and policy enforcement outcomes
Why this matters
Without centralized telemetry, anomalies go unnoticed, detection happens after an incident, and responses are delayed.
The Actions Data Stream solves this problem by making CI/CD observable like any other production system.
Milestones:
PhaseTarget
Public preview3-6 months
General availability6-9 months
Native egress firewall for GitHub-hosted runners
The current challenge
GitHub-hosted runners currently allow unrestricted outbound network access. That means:
Easy data exfiltration
No restrictions on what package registries can be used to obtain dependencies
Unclear distinctions between expected and unexpected network traffic
What’s changing
We’re building a native egress firewall for GitHub-hosted runners, treating CI/CD infrastructure as critical infrastructure with enforceable network boundaries.
The firewall operates outside the runner VM at Layer 7. It remains immutable even if an attacker gains root access inside the runner environment. Organizations define precise egress policies, including:
Allowed domains and IP ranges
Permitted HTTP methods
TLS and protocol requirements
The firewall provides two complementary capabilities:
Monitor: Organizations can monitor all outbound network traffic from their runners, with every request automatically audited and correlated to the workflow run, job, step, and initiating command. This visibility gives teams the data they need to understand what their workflows connect to, build informed allowlists, and assess the impact of restrictions before enforcing them.
Enforce: Organizations can enforce egress policies that block any traffic not explicitly permitted, ensuring that only approved destinations are reachable from the build environment.
Together, monitoring and enforcement create a safe adoption path: observe traffic patterns first, develop precise allowlists based on real data, then activate enforcement with confidence.
Milestones:
PhaseTarget
Public preview6-9 months
Our future goal: treating runners as protected endpoints
Runners shouldn’t be treated as disposable black boxes. We’re expanding toward:
Process-level visibility
File system monitoring
Richer execution signals
Near real-time enforcement
What this means in practice
CI/CD has become part of the critical infrastructure for enterprises and open source. The failures we’ve seen around dependency management, complex and implicit trust boundaries, secret handling, and observability have led to an increase in attacks across the software supply chain.
The 2026 GitHub Actions roadmap responds directly. We’re shifting the platform toward secure-by-default, verifiable automation with a focus on disrupting these attacks.
That means:
Workflows become deterministic and reviewable
Secrets are explicitly scoped and not broadly inherited
Execution is governed by policy, not YAML alone
Runners become observable and controllable systems
GitHub Actions remains flexible. Our roadmap is designed to move Actions toward a secure by default, auditable automation platform without requiring every team to rebuild their CI/CD model from scratch.
Get started
Join the discussion in the GitHub community to tell us what you think.
The post What’s coming to our GitHub Actions 2026 security roadmap appeared first on The GitHub Blog.
関連記事
今日のまとめ
AI日報で今日の重要ニュースをまとめ読み