For the complete documentation index, see llms.txt.

Chainguard Guardener Actions Security

Configure Chainguard Guardener to recommend and migrate your GitHub Actions to Chainguard's hardened, SHA-pinned equivalents.
  2 min read

The Actions Security feature recommends and migrates your GitHub Actions to Chainguard’s hardened, SHA-pinned equivalents. Pinning actions to a specific commit SHA — rather than a mutable tag or branch — protects your workflows from supply chain attacks in which an upstream tag is moved to point at malicious code.

Actions Security operates in two independent modes:

  • Pull request recommendations — non-blocking review comments that suggest hardened action alternatives, with one-click suggestion blocks.
  • Automated migration pull requests — a periodically maintained pull request that updates workflows across your repository.

You can enable either mode on its own or both together.

Enable Actions Security

Add a .chainguard/actions.yaml file to your repository:

enabled: true

With just enabled: true, the Guardener posts non-blocking recommendation comments on pull requests that touch your workflows. It does not open pull requests of its own.

Enable automated migration pull requests

To have the Guardener periodically open and maintain a pull request that migrates your workflows, enable the migrate block:

enabled: true
migrate:
  enabled: true
  period: "168h"

The Guardener opens (and keeps updated) a single migration pull request on the cadence you set with period.

Exclude files and actions

Use the migrate.ignore block to exclude specific workflow files or upstream actions from automated migration. Both fields accept glob patterns:

enabled: true
migrate:
  enabled: true
  period: "168h"
  ignore:
    files:
      - "release.yml"
      - "*.deprecated.yml"
    actions:
      - "actions/checkout"
      - "actions/*"
  • ignore.files — workflow files (under .github/workflows/) to skip.
  • ignore.actions — upstream actions to leave untouched.

Configuration reference

FieldDefaultPurpose
enabledtrueEnables inline pull request recommendation comments.
migrate.enabledfalseOpts into automated migration pull requests.
migrate.period24hHow often the migration pull request is refreshed. Clamped to a minimum of one day.
migrate.ignore.filesGlob patterns for workflow files to skip during migration.
migrate.ignore.actionsGlob patterns for upstream actions to skip during migration.

The period value is a Go-style duration string (for example, 24h, 168h for one week).

Full example

A complete .chainguard/actions.yaml enabling both recommendations and weekly automated migration, while leaving the actions/* family and a release workflow untouched:

enabled: true
migrate:
  enabled: true
  period: "168h"
  ignore:
    files:
      - "release.yml"
    actions:
      - "actions/*"

Next steps

Last updated: 2026-07-08 00:00