GitHub commit tags are mutable. This makes GitHub Actions that extensively rely on commit tags vulnerable to supply chain attacks. GitHub recommends that actions are pinned to commit SHA instead of using tags.

But managing pinned commit SHA requires resolving and updating them. I wrote an MCP server that can resolve GitHub refs to commit SHA, find latest releases etc. helping to pin existing GitHub Actions to their commit SHA and updating them to latest releases.

We tested with Cursor MCP support and it is now our giro tool for managing GHA and container base images pinned to immutable references.