Caution
This tool is deprecated and will not be further maintained, you should consider migrating to better alternatives:
- zizmorcore/zizmor: static analysis for GitHub workflows including pinning of actions
- suzuki-shunsuke/pinact: supports updating and hash-pinning workflows, actions, and arbitrary inputs.
- davidism/gha-update: supports updating and hash-pinning workflow definitions.
- stacklok/frizbee: supports hash-pinning (but not updating) workflow definitions.
Analyses and pins GitHub actions in your workflows.
This tool pins your GitHub Action versions to use the SHA-1 hash instead of tag to improve security as Git tags are not immutable.
Converts uses: aws-actions/configure-aws-credentials@v1.7.0 to
uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0
To skip a specific action from being pinned, you can add a comment pinning: ignore.
Example using the generic SLSA generator action which MUST be referenced by a tag rather than a commit hash:
provenance:
needs: ['prepare', 'build-dist']
permissions:
actions: read
contents: write
id-token: write # Needed to access the workflow's OIDC identity.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 # pinning: ignore
with:
base64-subjects: "${{ needs.build-dist.outputs.hashes }}"
upload-assets: trueThis repo provides a pre-commit hook to run octopin pin. Add the following
snippet to your .pre-commit-config.yaml to use.
- repo: https://github.com/eclipse-csi/octopin
rev: main # Recommended to pin to a tagged released
hooks:
- id: pin-versions