
Security News
Oracle Drags Its Feet in the JavaScript Trademark Dispute
Oracle seeks to dismiss fraud claims in the JavaScript trademark dispute, delaying the case and avoiding questions about its right to the name.
pin-github-action
Advanced tools
This is a tool that allows you to pin your GitHub actions dependencies to a specific SHA without requiring that you update every action manually each time you want to use a newer version of an action.
It achieves this by converting your workflow to use a specific commit hash, whilst adding the original value as a comment on that line. This allows us to resolve newer SHAs for that target ref automatically in the future.
It converts this:
name: Commit Push
on:
push:
branches:
- master
jobs:
build:
name: nexmo/github-actions/submodule-auto-pr@main
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@main
- name: nexmo/github-actions/submodule-auto-pr
uses: nexmo/github-actions/submodule-auto-pr@main
In to this:
name: Commit Push
on:
push:
branches:
- master
jobs:
build:
name: nexmo/github-actions/submodule-auto-pr@main
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@db41740e12847bb616a339b75eb9414e711417df # pin@main
- name: nexmo/github-actions/submodule-auto-pr
uses: nexmo/github-actions/submodule-auto-pr@73549280c1c566830040d9a01fe9050dae6a3036 # pin@main
For more information, see How it works.
npm install -g pin-github-action
alias pin-github-action="docker run --rm -v $(pwd):/src -e GH_ADMIN_TOKEN mheap/pin-github-action"
Use on single file:
pin-github-action /path/to/.github/workflows/your-name.yml
Use on all YAML|YML files in directory:
pin-github-action /path/to/.github/workflows/
If you use private actions (or are hitting rate limits), you'll need to provide a GitHub access token:
GH_ADMIN_TOKEN=<your-token-here> pin-github-action /path/to/.github/workflows/your-name.yml
Run it as many times as you like! Each time you run the tool the exact SHA will be updated to the latest available SHA for your pinned ref.
If you're having issues, run with debug logging enabled and open an issue:
DEBUG="pin-github-action*" pin-github-action /path/to/.github/workflows/your-name.yml
You can pass multiple files at once by adding additional files as arguments:
pin-github-action first.yml second.yml
And you can mix directories with files:
pin-github-action first.yml /path/to/.github/workflows/
To leave an action unpinned, pass the --allow
option when running pin-github-action
.
Running pin-github-action /path/to/.github/workflows/your-name.yml --allow "actions/*"
will turn this:
jobs:
build:
name: nexmo/github-actions/submodule-auto-pr@main
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@main
- uses: nexmo/github-actions/submodule-auto-pr@main
Into this (notice how actions/checkout@main
is ignored):
jobs:
build:
name: nexmo/github-actions/submodule-auto-pr@main
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@main
- name: nexmo/github-actions/submodule-auto-pr
uses: nexmo/github-actions/submodule-auto-pr@73549280c1c566830040d9a01fe9050dae6a3036 # pin@main
You can pass multiple actions to allow as a comma separated list e.g. actions/checkout,mheap/*
A quick overview of the available globbing patterns (taken from multimatch, which we use to match globs):
*
matches any number of characters, but not /
?
matches a single character, but not /
**
matches any number of characters, including /
, as long as it's the only thing in a path part{}
allows for a comma-separated list of "or" expressions!
at the beginning of a pattern will negate the matchExamples:
actions/checkout
actions/*
!actions/*
(will only pin actions/*
actions)You can specify a comment containing the {ref}
placeholder to customise the comment added.
To add support for renovate, run with the following options (note the leading space):
pin-github-action -c " {ref}" /path/to/workflow.yaml
uses
steps, skipping any docker://
or ./local-path
actionsuses
steps to determine the target ref
pin@
and use that as the targetFAQs
Pin your GitHub Actions to specific versions automatically!
We found that pin-github-action demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Oracle seeks to dismiss fraud claims in the JavaScript trademark dispute, delaying the case and avoiding questions about its right to the name.
Security News
The Linux Foundation is warning open source developers that compliance with global sanctions is mandatory, highlighting legal risks and restrictions on contributions.
Security News
Maven Central now validates Sigstore signatures, making it easier for developers to verify the provenance of Java packages.