Chainguard Guardener Commit Verification
Configure Chainguard Guardener to verify that every commit in a pull request is cryptographically signed by an …
For the complete documentation index, see llms.txt.
The Actions Security feature recommends and migrates your GitHub Actions to Chainguard’s hardened, SHA-pinned equivalents. Pinning actions to a specific commit SHA — rather than a mutable tag or branch — protects your workflows from supply chain attacks in which an upstream tag is moved to point at malicious code.
Actions Security operates in two independent modes:
You can enable either mode on its own or both together.
Add a .chainguard/actions.yaml file to your repository:
enabled: trueWith just enabled: true, the Guardener posts non-blocking recommendation comments on pull requests that touch your workflows. It does not open pull requests of its own.
To have the Guardener periodically open and maintain a pull request that migrates your workflows, enable the migrate block:
enabled: true
migrate:
enabled: true
period: "168h"The Guardener opens (and keeps updated) a single migration pull request on the cadence you set with period.
Use the migrate.ignore block to exclude specific workflow files or upstream actions from automated migration. Both fields accept glob patterns:
enabled: true
migrate:
enabled: true
period: "168h"
ignore:
files:
- "release.yml"
- "*.deprecated.yml"
actions:
- "actions/checkout"
- "actions/*"ignore.files — workflow files (under .github/workflows/) to skip.ignore.actions — upstream actions to leave untouched.| Field | Default | Purpose |
|---|---|---|
enabled | true | Enables inline pull request recommendation comments. |
migrate.enabled | false | Opts into automated migration pull requests. |
migrate.period | 24h | How often the migration pull request is refreshed. Clamped to a minimum of one day. |
migrate.ignore.files | — | Glob patterns for workflow files to skip during migration. |
migrate.ignore.actions | — | Glob patterns for upstream actions to skip during migration. |
The period value is a Go-style duration string (for example, 24h, 168h for one week).
A complete .chainguard/actions.yaml enabling both recommendations and weekly automated migration, while leaving the actions/* family and a release workflow untouched:
enabled: true
migrate:
enabled: true
period: "168h"
ignore:
files:
- "release.yml"
actions:
- "actions/*".chainguard/ configuration model.Last updated: 2026-07-08 00:00