Today we are excited to announce that StepSecurity Maintained Actions are now free for public repositories. What was previously an enterprise-only capability is now available to every open-source project on GitHub. This is a major step in our mission to make CI/CD pipelines more secure for the entire developer community.
The Growing Risk of Third-Party GitHub Actions
GitHub Actions have transformed how developers build, test, and deploy software. The marketplace offers thousands of reusable actions that boost productivity and eliminate repetitive work. But there is a catch. Every third-party action you add to your workflow is code that runs in your CI/CD environment, with access to your secrets, your cloud credentials, and your source code.
Security teams have raised legitimate concerns about this attack surface. Many popular third-party actions have been abandoned or archived by their original maintainers. Some lack proper licensing or carry restrictive licenses. Others do not follow basic security best practices for repository management and release processes. When a widely-used action goes unmaintained, every project depending on it inherits the risk.
This creates a fundamental tension. Developers want to use actions because they make them more productive, but security teams worry because these actions can access CI/CD secrets that grant access to cloud environments and production infrastructure.
A Wake-Up Call: The tj-actions/changed-files Incident
In March 2025, the tj-actions/changed-files action, used by over 23,000 repositories, was compromised in a supply chain attack (CVE-2025-30066). Attackers exploited a persistent bot account with repository access to update version tags so they referenced a malicious commit. That commit extracted CI/CD secrets from runner memory and exposed them in workflow logs. The incident was detected by StepSecurity's Harden-Runner, and our team reported it to the maintainers within hours.
Our enterprise customers had already requested a StepSecurity Maintained Action for changed-files, so we had a secure drop-in replacement ready. But the scale of the incident made one thing clear: the need for secure alternatives was not limited to our enterprise customers. The entire community needed a trusted replacement. So we made step-security/changed-files free for everyone.
The response validated our decision. Since then, thousands of enterprises and over 3,000 open-source projects have adopted step-security/changed-files as their secure replacement. In nearly every introductory call with new prospects, we hear that organizations are already using it. That adoption told us something important: the community needs more of these secure alternatives, not fewer.
What Are StepSecurity Maintained Actions?

StepSecurity Maintained Actions are secure, drop-in replacements for popular third-party GitHub Actions. With 500 maintained actions in our catalog, and the number growing every day, they are designed to be API-compatible with the originals, meaning you can switch with a simple find-and-replace in your workflow files, with no other changes required.
We onboard Maintained Actions based on requests from enterprise customers, who typically ask us to onboard actions that:
- Have been abandoned by their original maintainers
- Have a single maintainer
- Receive low security scores (based on the OpenSSF Scorecard)
- Present high security risk due to credential access requirements
Every maintained action goes through a rigorous security process:
- Rigorous onboarding. Every action undergoes a thorough manual secure code review before it is onboarded.
- Strict access control. All action repositories live in the StepSecurity organization, with write access limited to our engineering team.
- AI-assisted secure code review. Before an action is released as a StepSecurity Maintained Action, we run an AI-assisted secure code review across the upstream source to surface vulnerable or risky code, then fix those issues as part of onboarding.
- Robust branch protection. We require cryptographically signed commits, approval from a reviewer other than the PR creator, and passing security status checks before merge (CodeQL, Dependency Review, and OpenSSF Scorecard).
- Tag protection. By default, no tags can be created or changed. We use just-in-time access to create tags during the release process, which prevents the kind of tag-tampering seen in the tj-actions incident.
- Secure release process. Node action dist folders are rebuilt and validated inside a GitHub Actions workflow. Docker images are built and pushed to StepSecurity's GitHub container registry. Releases use environment-based approvals and ephemeral GitHub Actions tokens instead of persistent bot accounts.
- Proactive vulnerability management. We monitor dependencies continuously and patch against defined SLAs: critical vulnerabilities (CVSS 9.0 and higher) within 2 days, high-risk (CVSS 7.0 and higher) within 30 days, moderate-risk (CVSS 4.0 to 6.9) within 90 days, and low-risk (CVSS under 4.0) within 180 days.
- Upstream coordination. We sync with upstream every month, incorporating upstream changes within 30 days of release using the same review and release process, so our maintained actions always stay up to date.
All maintained actions are open source, so you can inspect every line of code yourself.
Why We're Making Them Free for Public Repos
StepSecurity has always been community-first. Our Harden-Runner action is free for public repositories and is trusted by over 15,000 open-source projects and enterprises, including those maintained by Microsoft, Google, and CISA. Our SecureRepo tool, which creates automated pull requests to harden repository security configurations, is free for public repos and has been used by over 22,000 repositories.
Many of our maintained actions were created specifically because the original actions were abandoned or archived. Their maintainers moved on, but the thousands of projects depending on them did not. These projects, many of them critical open-source infrastructure, deserve secure, actively maintained alternatives regardless of whether they can pay for an enterprise subscription.
Continuing with that community-first principle, we are making StepSecurity Maintained Actions free for public repositories. This will lead to more secure CI/CD workflows across the open-source ecosystem, which benefits everyone, because open-source software is the foundation that enterprises build on.
How It Works
- Public repositories: StepSecurity Maintained Actions are free to use. No subscription required.
- Private repositories: Maintained actions include a subscription check and require a StepSecurity subscription.
Switching is straightforward. Since maintained actions are drop-in replacements, migration is typically a one-line change in your workflow YAML, replacing the original action reference with the StepSecurity equivalent.
For larger teams, you do not have to make those changes by hand. Enterprise tier customers can replace third-party actions across their repositories automatically using Policy-Driven PRs. You define the policy once, and StepSecurity opens pull requests that swap supported third-party actions for their StepSecurity maintained equivalents. You can replace only selected actions for a gradual rollout or replace everything that has a maintained equivalent and exempt specific actions, with an option to restrict replacements to the same major version. Your team reviews and merges the PRs like any other code change, so adopting maintained actions scales across hundreds of repositories without manual edits.
Follow this interactive demo to see how Policy Driven PRs work:
Available Now: 500 Free Maintained Actions

Here are some examples of archived actions and their StepSecurity Maintained Action alternatives:
- step-security/action-slack → Secure replacement for 8398a7/action-slack
- step-security/github-app-token → Secure replacement for tibdex/github-app-token
- step-security/swift-doc → Secure replacement for SwiftDocOrg/swift-doc
- step-security/actions-rs-cargo ] → Secure replacement for actions-rs/cargo
- step-security/actions-rs-toolchain → Secure replacement for actions-rs/toolchain
- step-security/github-action-markdown-link-check → Secure replacement for gaurav-nelson/github-action-markdown-link-check
- step-security/trigger-workflow-and-wait→ Secure replacement for convictional/trigger-workflow-and-wait
Get Started
- Browse all maintained actions: https://app.stepsecurity.io/github-action-advisor
- View on GitHub: https://github.com/topics/step-security-maintained-actions
If your project uses third-party GitHub Actions, especially ones that are abandoned or archived, now is the time to switch to a secure, actively maintained alternative. Your CI/CD pipeline will thank you.
.png)
.png)


