Pin GitHub Actions versions
MIT License
Bot releases are visible (Hide)
Pull Requests | Issues | https://github.com/suzuki-shunsuke/pinact/compare/v0.1.3...v0.2.0
#439 Ignore action versions other than semver (x.y.z) and short version (v1, v2, ...)
pinact ignores action versions such as main
, master
, foo/v1.0.0
.
#439 Support verifying version annotations
https://github.com/suzuki-shunsuke/pinact/blob/main/docs/codes/001.md
Please see the following code.
- uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v3.5.1
You would assume the version of the action is v3.5.1 because the version annotation is "v3.5.1".
But the actual version is v2.7.0 because "ee0669bd1cc54295c223e0bb666b733df41de1c5" is the commit hash of v2.7.0.
Please check releases.
This indicates version annotations aren't necessarily correct.
Especially, attackers can specify a full commit SHA including a malicious code while setting a safe tag to the version annotation.
If a pull request includes changes of GitHub Actions, you should verify version annotations.
pinact v0.1.3 or newer can verify version annotations using pinact run
's --verify
option.
This verification works only if the version annotation is semver and the version is full commit hash like the above example.
This option gets a full commit hash from a version annotation by GitHub API and compares it with the version.
e.g.
$ pinact run --verify testdata/bar.yaml
ERRO[0000] parse a line action=actions/checkout action_version=ee0669bd1cc54295c223e0bb666b733df41de1c5 commit_hash_of_version_annotation=83b7061638ee4956cf7545a6f7efe594e5ad0247 error="verify the version annotation: action_version must be equal to commit_hash_of_version_annotation" help_docs="https://github.com/suzuki-shunsuke/pinact/blob/main/docs/codes/001.md" pinact_version=0.2.0 program=pinact version_annotation=v3.5.1 workflow_file=testdata/bar.yaml
Note that --verify
option calls GitHub API to verify version annotations, which may cause API rate limiting.
#435 #436 #437 Refactoring
Published by github-actions[bot] 6 months ago
Pull Requests | Issues | https://github.com/suzuki-shunsuke/pinact/compare/v0.1.2...v0.1.3
#393 #394 Add .github/pinact.yaml
as a default config path @kachick
Update Go 1.20.5 to 1.22.2
Published by github-actions[bot] 6 months ago
Published by github-actions[bot] 6 months ago
Published by github-actions[bot] 7 months ago
https://github.com/suzuki-shunsuke/pinact/compare/v0.1.2...v0.1.3-1
Update Go to v1.22.1
#358 Support lines with quotes @kazuki-hanai
Published by github-actions[bot] over 1 year ago
Pull Requests | Issues | https://github.com/suzuki-shunsuke/pinact/compare/v0.1.1...v0.1.2
#99 Support configuration files
#99 Add a subcommand init
to generate a configuration file
About Configuration file, please see Configuration.
e.g. .pinact.yaml
files:
- pattern: "^\\.github/workflows/.*\\.ya?ml$"
- pattern: "^(.*/)?action\\.ya?ml$"
ignore_actions:
- name: actions/setup-java
- name: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml
init
to generate a configuration file$ pinact init # .pinact.yaml is generated.
Published by github-actions[bot] over 1 year ago
Pull Requests | Issues | https://github.com/suzuki-shunsuke/pinact/compare/v0.1.1...v0.1.2-1
Published by github-actions[bot] over 1 year ago
Pull Requests | Issues | https://github.com/suzuki-shunsuke/pinact/compare/v0.1.0...v0.1.1
#95 #97 Keep lines of 404 actions
#96 #97 Skip actions pinned with full commit hash
pinact v0.1.0 has a bug that if some actions are not found, the lines are removed.
$ pinact version
pinact version 0.1.0 (8ccd55944c83ff1f4d738343c28d4a6109246d06)
foo.yaml
name: foo
on: workflow_call
jobs:
foo:
runs-on: ubuntu-latest
steps:
- uses: suzuki-shunsuke/repo-404@83b7061638ee4956cf7545a6f7efe594e5ad0247
$ pinact run foo.yaml
WARN[0000] get a reference error="GET https://api.github.com/repos/suzuki-shunsuke/repo-404/commits/83b7061638ee4956cf7545a6f7efe594e5ad0247: 404 Not Found []" pinact_version=0.1.0 program=pinact workflow_file=foo.yaml
$ git diff foo.yaml
diff --git a/foo.yaml b/foo.yaml
index 7c23799..9ba4f83 100644
--- a/foo.yaml
+++ b/foo.yaml
@@ -4,4 +4,4 @@ jobs:
foo:
runs-on: ubuntu-latest
steps:
- - uses: suzuki-shunsuke/repo-404@83b7061638ee4956cf7545a6f7efe594e5ad0247
+
pinact v0.1.1 fixed the bug.
If actions are not found, pinact ignores those actions.
$ pinact run foo.yaml
WARN[0000] get a reference error="GET https://api.github.com/repos/suzuki-shunsuke/repo-404/commits/83b7061638ee4956cf7545a6f7efe594e5ad0247: 404 Not Found []" pinact_version=0.1.1 program=pinact workflow_file=foo.yaml
$ git diff foo.yaml # No change
pinact v0.1.0 has a bug that if some actions are pinned by commit hash but don't have code comment, commit hash are commented.
$ pinact version
pinact version 0.1.0 (8ccd55944c83ff1f4d738343c28d4a6109246d06)
foo.yaml
name: foo
on: workflow_call
jobs:
foo:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@83b7061638ee4956cf7545a6f7efe594e5ad0247
$ pinact run foo.yaml
$ git diff foo.yaml
diff --git a/foo.yaml b/foo.yaml
index a52749f..c4c3f7f 100644
--- a/foo.yaml
+++ b/foo.yaml
@@ -4,4 +4,4 @@ jobs:
foo:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@83b7061638ee4956cf7545a6f7efe594e5ad0247
+ - uses: actions/checkout@83b7061638ee4956cf7545a6f7efe594e5ad0247 # 83b7061638ee4956cf7545a6f7efe594e5ad0247
pinact v0.1.1 fixed the bug. pinact skips actions pinned with full commit hash.
$ pinact run foo.yaml
$ git diff foo.yaml # No change
Published by github-actions[bot] over 1 year ago
Pull Requests | Issues | https://github.com/suzuki-shunsuke/pinact/commits/v0.1.0
🎉 First release
Published by github-actions[bot] over 1 year ago
Pull Requests | Issues | https://github.com/suzuki-shunsuke/pinact/compare/...v0.1.0-1