Skip to main content
Menu
On this page
ISSUE-702 High Medium CLI Third-party actions

Action is hosted in an archived repository

Control: Actions must not reference archived repositories · Config key: actionsMustNotBeArchived

📋 What is this?

A workflow step uses a third-party action (uses: owner/repo@ref) whose upstream repository is archived on GitHub. Plumber scans committed .github/workflows/*.{yml,yaml} only, queries GET /repos/{owner}/{repo} for the archived flag, and caches one result per owner/repo (not per ref). Requires gh auth login or GH_TOKEN; without authentication the control abstains and emits no finding.

⚠️ Impact

Archived repositories don't receive security fixes. Any vulnerability discovered after the archive date stays open forever — but the action keeps running inside your workflow with whatever permissions you grant it. Pinning by SHA does not save the caller either: the last maintainer (or whoever later acquires the namespace) can still push new code under the same repository name.

🔧 How to fix

Replace the archived action with a maintained alternative, fork it and patch it yourself, or vendor the action's source into your repository under .github/actions/. If the action is small enough to read in one sitting, inlining the equivalent shell logic removes the supply-chain dependency entirely.

✗ Before The upstream repo is archived; the SHA-pinned version is frozen too, including its bugs.
# .github/workflows/release.yml — ❌ Archived upstream
jobs:
  release:
    runs-on: ubuntu-latest
    steps:
      - uses: archived-org/release-action@v1   # repo archived 2023
✓ After Active project receiving updates.
# .github/workflows/release.yml — ✅ Maintained alternative
jobs:
  release:
    runs-on: ubuntu-latest
    steps:
      - uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2


# .plumber.yaml
github:
  controls:
    actionsMustNotBeArchived:
      enabled: true

💡 Tips

  • Scope is step-level uses: in your workflow files only. Job-level reusable-workflow uses: lines, local ./.github/actions/*, and docker:// steps are out of scope.
  • Without gh / GH_TOKEN, the rule abstains on every ref (degraded contract, no false positives). This is not a clean pass.
  • Does not fetch callee reusable-workflow YAML from other repositories; only what is committed under .github/workflows/ in the analyzed ref.
  • The PBOM tags each archived include with archived: true (JSON) / plumber:archived (CycloneDX) so dashboards can dedupe across multiple callers of the same abandoned action.

⚙️ Configuration

This control is configured in .plumber.yaml under the github section:

github:
  controls:
    actionsMustNotBeArchived:
      enabled: true

See the CLI documentation for the full configuration reference.

🔗 Related issues

ISSUE-701 Third-party action is not pinned by commit SHA
High Medium
ISSUE-703 Action version carries a published security advisory
Critical Medium