{"id":29730507,"url":"https://github.com/csm-actions/securefix-action","last_synced_at":"2026-04-25T07:01:55.137Z","repository":{"id":282131134,"uuid":"947590271","full_name":"csm-actions/securefix-action","owner":"csm-actions","description":"GitHub Action to fix code securely","archived":false,"fork":false,"pushed_at":"2026-02-23T00:57:16.000Z","size":9385,"stargazers_count":35,"open_issues_count":5,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-23T06:22:13.972Z","etag":null,"topics":["cicd","github-actions","oss","security"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/csm-actions.png","metadata":{"files":{"readme":"README.md","changelog":"changelogs/v0.1.0.md","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":["suzuki-shunsuke"]}},"created_at":"2025-03-12T23:47:46.000Z","updated_at":"2026-02-23T00:56:48.000Z","dependencies_parsed_at":"2025-04-20T15:23:32.480Z","dependency_job_id":"5082c22d-0166-415f-acb0-f5603e27fc82","html_url":"https://github.com/csm-actions/securefix-action","commit_stats":null,"previous_names":["securefix-action/action","csm-actions/securefix-action"],"tags_count":26,"template":false,"template_full_name":null,"purl":"pkg:github/csm-actions/securefix-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/csm-actions%2Fsecurefix-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/csm-actions%2Fsecurefix-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/csm-actions%2Fsecurefix-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/csm-actions%2Fsecurefix-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/csm-actions","download_url":"https://codeload.github.com/csm-actions/securefix-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/csm-actions%2Fsecurefix-action/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29893320,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-27T09:48:51.284Z","status":"ssl_error","status_checked_at":"2026-02-27T09:48:43.992Z","response_time":57,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cicd","github-actions","oss","security"],"created_at":"2025-07-25T05:31:28.742Z","updated_at":"2026-04-25T07:01:55.114Z","avatar_url":"https://github.com/csm-actions.png","language":"TypeScript","funding_links":["https://github.com/sponsors/suzuki-shunsuke"],"categories":[],"sub_categories":[],"readme":"# Securefix Action\n\n[![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/csm-actions/securefix-action)\n[![License](http://img.shields.io/badge/license-mit-blue.svg?style=flat-square)](https://raw.githubusercontent.com/csm-actions/securefix-action/main/LICENSE) | [Versioning Policy](https://github.com/suzuki-shunsuke/versioning-policy/blob/main/POLICY.md) | [NotebookLM](https://notebooklm.google.com/notebook/558f0a54-6ff2-4d3d-887d-427b3e0d2b13)\n\nSecurefix Action is GitHub Actions to fix code securely.\n\n![image](https://github.com/user-attachments/assets/21ec46f9-3c9b-4314-8609-0ef1b8c25791)\n\n![image](https://github.com/user-attachments/assets/5d854cf1-cff1-4af2-ab71-81cba3d8eb1d)\n\nSecurefix Action allows you to fix code securely without sharing a GitHub App private key with strong permissions such as `contents:write` across GitHub Actions workflows.\nYou don't need to allow external services to access your code.\nIt elevates the security of your workflows to the next level.\n\nFurthermore, it's easy to use.\nYou don't need to host a server application.\nIt achieves a server/client architecture using GitHub Actions by unique approach.\n\n## :bulb: NotebookLM And DeepWiki\n\n- [Google NotebookLM](https://notebooklm.google.com/notebook/558f0a54-6ff2-4d3d-887d-427b3e0d2b13)\n- [DeepWiki](https://deepwiki.com/csm-actions/securefix-action)\n\n## :rocket: Recent Important Updates\n\n- [v0.5.6 (2026-03)](https://github.com/csm-actions/securefix-action/releases/tag/v0.5.6)\n  - :bug: [Fix a bug that client fails when some files are deleted](https://github.com/csm-actions/securefix-action/issues/559)\n  - 💪 [Support passing custom parameters from client to server to customize server workflow](https://github.com/csm-actions/securefix-action/pull/564)\n- :bug: [v0.5.5 (2026-02) Fix a bug that Git Submodules are broken](https://github.com/csm-actions/securefix-action/releases/tag/v0.5.5)\n- :warning: [v0.5.3 (2026-01) pull_request.base_branches in configuration files were abandoned](https://github.com/csm-actions/securefix-action/releases/tag/v0.5.3)\n- 💪 [v0.4.2 (2025-12) You can write Configuration files more simply](https://github.com/csm-actions/securefix-action/releases/tag/v0.4.2)\n- :rocket: [v0.4.1 (2025-11) The performance was drastically improved](https://github.com/csm-actions/securefix-action/releases/tag/v0.4.1)\n- :warning: [v0.3.0 (2025-10) If the repository or branch is changed, the source branch must be protected for security.](https://github.com/csm-actions/securefix-action/releases/tag/v0.3.0)\n\nSee also [Release Notes](https://github.com/csm-actions/securefix-action/releases).\n\n## Features\n\n- 💪 Increase the developer productivity by fixing code in CI\n- 🛡 Secure\n  - You don't need to pass a GitHub App private key with strong permissions to GitHub Actions workflows on the client side\n  - You don't need to allow external services to access your code\n  - You can define custom validation before creating a commit\n  - Commits are verified (signed)\n- 😊 Easy to use\n  - You can create a commit by one action on the client side\n  - You don't need to host a server application\n\n## Overview\n\nSometimes you want to fix code in CI:\n\n- Format code\n- Generate document from code\n- etc\n\nIn case of public repositories, we strongly recommend [autofix.ci](https://autofix.ci).\nautofix.ci allows you to fix code in CI of pull requests including pull requests from fork repositories securely.\nautofix.ci is easy to use, and it's free in public repositories. We love it.\n\nautofix.ci is also available in private repositories, but perhaps it's a bit hard to use it in your private repositories for your business.\n\n- It's not free, so you may have to submit a request to your company\n- You need to allow the external server of autofix.ci to access your code. Perhaps you can't accept it\n- If you don't receive pull requests from fork repositories, the reason to use autofix.ci might not be so string because you can fix code using actions such as [commit-action](https://github.com/suzuki-shunsuke/commit-action)\n\nWe think autofix.ci is valuable in private repositories too, but perhaps you can't use it.\n\nIf you use fix code in CI, you need to use an access token with `contents:write` permission.\nBut if the token is abused, malicious code can be committed.\nFor instance, an attacker can create a malicious commit to a pull request, and he may be able to approve and merge the pull request.\nIt's so dangerous.\n\nTo prevent such a threat, you should protect personal access tokens and GitHub Apps having strong permissions securely.\n\nOne solution is [the Client/Server Model](https://github.com/securefix-action/client-server-model-docs).\nClients are GitHub Actions workflows that want to fix code.\nThey send a request to the server, then the server fix code.\nYou don't need to pass an access token with strong permissions to clients (GitHub Actions Workflows).\n\nThen how do you build the server?\nFor instance, you would be able to build the server using AWS Lambda, Google Cloud Function, or k8s, and so on.\nBut we don't want to host such a server application.\n\nSo we build a server using GitHub Actions workflow by unique approach.\nYou don't need to host a server application.\n\n## Example\n\n- [demo-server](https://github.com/securefix-action/demo-server): [workflow](https://github.com/securefix-action/demo-server/blob/main/.github/workflows/securefix.yaml)\n- [demo-client](https://github.com/securefix-action/demo-client): [workflow](https://github.com/securefix-action/demo-client/blob/main/.github/workflows/securefix.yaml)\n\n## Architecture\n\nSecurefix Action adopts [the Client/Server Model](https://github.com/csm-actions/docs).\nIt uses following GitHub Apps, repositories, and workflows:\n\n- two GitHub Apps\n  - a Server GitHub App: a GitHub App to create commits\n  - a Client GitHub App: a GitHub App to send requests to a server workflow\n- Repositories\n  - a Server repository: a repository where a server workflow works\n  - Client repositories: repositories where client workflows work\n- Workflows\n  - a Server Workflow: Receive requests from client workflows and create commits\n  - a Client Workflow: Request to fix code to the Server Workflow\n\n![Image](https://github.com/user-attachments/assets/94781831-0aad-4513-ac92-fb5cfa859e19)\n\n- Server: 1 GitHub App, 1 Repository\n- Client: 1 GitHub App, N Repositories\n\n![Image](https://github.com/user-attachments/assets/383de1da-a267-4f96-a86c-9151d66cebc5)\n\n1. The client workflow uploads fixed files and metadata to GitHub Actions Artifacts\n2. The client workflow creates an issue label to the server repository\n3. The server workflow is triggered by `label:created` event\n4. The server workflow deletes the issue label\n5. The server workflow downloads fixed files and metadata from GitHub Actions Artifacts\n6. The server workflow validates the request\n7. The server workflow pushes a commit to the client repository\n\n### :bulb: Why are labels used?\n\nSecurefix Action uses `label` event to trigger a server workflow.\nGenerally `repository_dispatch` events are used to trigger workflows by API, but they require the permission `actions:write`.\n`actions:write` permissions is strong and dangerous, so we don't want to grant the permission.\nSo we looked for alternative events from [all events](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows), and we found `label` event.\nEven if the permission is abused, the risk is low.\n\n## Getting Started\n\n1. Create two repositories from templates [demo-server](https://github.com/new?template_name=demo-server\u0026template_owner=securefix-action) and [demo-client](https://github.com/new?template_name=demo-client\u0026template_owner=securefix-action)\n1. [Create a GitHub App for server](#github-app-for-server)\n1. [Create a GitHub App for client](#github-app-for-client)\n1. Create GitHub App private keys\n1. [Add GitHub App's id and private keys to GitHub Secrets and Variables](#add-github-apps-id-and-private-keys-to-github-secrets-and-variables)\n1. [Fix the server workflow if necessary](#fix-the-server-workflow-if-necessary)\n1. [Fix the client workflow if necessary](#fix-the-client-workflow-if-necessary)\n1. [Add a new file `bar.yaml` to client' repository and create a pull request](#add-a-new-file-baryaml-to-client-repository-and-create-a-pull-request)\n\n### GitHub App for server\n\nDeactivate Webhook.\n\nPermissions:\n\n- `contents:write`: To create commits\n- `actions:read`: To download GitHub Actions Artifacts to fix code\n- `pull_requests:write`: To notify problems on the server side to pull requests\n- `workflows:write`: Optional. This is required if you want to fix GitHub Actions workflows\n- `members:read`: Optional. This is required if you want to request reviews to teams\n- Organization's `projects:write`: Optional. This is required if you want to add pull requests to GitHub Organization Projects\n\nInstalled Repositories: Install the app into the server repository and client repositories.\n\n### GitHub App for client\n\nDeactivate Webhook.\n\nPermissions:\n\n- `issues:write`: To create labels\n\nInstalled Repositories: Install the app into the server repository and client repositories.\n\n### Add GitHub App's id and private keys to GitHub Secrets and Variables\n\nAdd GitHub App's private keys and ID to Repository Secrets and Variables\n\n- client\n  - id: client repository's variable `DEMO_CLIENT_APP_ID`\n  - private key: client repository's Repository Secret `DEMO_CLIENT_PRIVATE_KEY`\n- server\n  - id: server repository's variable `DEMO_SERVER_APP_ID`\n  - private key: server repository's Repository Secret `DEMO_SERVER_PRIVATE_KEY`\n\n\u003e [!WARNING]\n\u003e In the getting started, we add private keys to Repository Secrets simply.\n\u003e But when you use Securefix Action actually, you must manage the Server GitHub App's private key and the server workflow securely.\n\u003e Only the server workflow must be able to access the server app's private key.\n\u003e [See also `How to manage a server GitHub App and a server workflow`](#how-to-manage-a-server-github-app-and-a-server-workflow).\n\n### Fix the server workflow if necessary\n\n[Workflow](https://github.com/securefix-action/demo-server/blob/main/.github/workflows/securefix.yaml)\n\nIf you change a variable name and a secret name, please fix the workflow.\n\n### Fix the client workflow if necessary\n\n[Workflow](https://github.com/securefix-action/demo-client/blob/main/.github/workflows/securefix.yaml)\n\n- If you change a variable name and a secret name, please fix the workflow\n- If you change the server repository name, please fix the input `server_repository`\n\n### Add a new file `bar.yaml` to client' repository and create a pull request\n\n1. Add `bar.yaml` to client repository ([Example](https://github.com/securefix-action/demo-client/pull/8/commits/0a0103a3c319f08739632b72aef6b539377da11b))\n\nbar.yaml:\n\n```yaml\nnames:\n  - bar\n```\n\n2. Create a pull request ([Example](https://github.com/securefix-action/demo-client/pull/8)):\n\nThen workflows are run and `bar.yaml` is fixed automatically:\n\n![image](https://github.com/user-attachments/assets/808b7348-f1a6-41ff-97fb-c4125f31ed14)\n\n![image](https://github.com/user-attachments/assets/610668c2-a6e9-4c9b-a02a-381f9f1cd56a)\n\n[commit](https://github.com/securefix-action/demo-client/pull/8/commits/e8b1f71602ecacd7948351fd197a55370bdc38dd)\n\n```diff\n--- a/bar.yaml\n+++ b/bar.yaml\n@@ -1,2 +1,2 @@\n names:\n-- bar\n+  - bar\n```\n\n### Push to other repository and branch\n\nSecurefix Action \u003e= v0.2.0 [#123](https://github.com/csm-actions/securefix-action/pull/123)\n\nBy default, Securefix Action pushes a commit to the repository and branch where the action is run.\nBut actually there are usecases that you want to push a commit to other repository and branch.\n\n- Scaffold a pull request by `workflow_dispatch`\n- Update GitHub Pages\n- Create a pull request to the repository A when the repository B is updated\n- etc\n\nSecurefix Action can push a commit to the other repository and branch securely.\nAllowing to push any repository and branch without any restriction is dangerous, so by default changing the repository and branch isn't allowed, meaning the action fails.\nYou can push a commit from only allowed repositories and branches to only allowed repositories and branches.\nFrom Securefix Action v0.3.0, the source branch must be protected.\n\n1. [Configure the server side](docs/prepare.md#config-config_file)\n2. [Configure the client side](docs/client.md#push-a-commit-to-the-other-repository-and-branch)\n\n### Create pull requests\n\nWhen pushing a commit to the other repository and branch, you can also create a pull request.\n\n1. [Configure the server side](docs/prepare.md#config-config_file)\n2. [Configure the client side](docs/client.md#create-a-pull-request)\n\n## Actions\n\nSecurefix Action is a single JavaScript Action.\nIt has an input `action`, which accepts the following values:\n\n- [`client`: Client Action](docs/client.md)\n- [`server`: Server Action](docs/server.md)\n  - [`prepare`: Prepare for creating commits](docs/prepare.md)\n  - [`commit`: Create commits](docs/commit.md)\n  - [`notify`: Notify the failure to the client side](docs/notify.md)\n- [`validate-config`: Validate the configuration file of the server side](docs/validate-config.md)\n\nThe `server` action is a single action that consolidates the `prepare`, `commit`, and `notify` actions.\nIn most cases, you can simply use the `server` action.\n\nIf you need more flexibility, you can use the individual `prepare`, `commit`, and `notify` actions instead.\nFor example, you can insert your own validation logic between `prepare` and `commit`, or implement custom notification handling instead of using the default `notify` action.\n\n## Actions' Available Versions\n\nAs of Securefix Action v0.2.0, Securefix Action is released using [release-js-action](https://github.com/suzuki-shunsuke/release-js-action).\n[About available versions, please see the document.](https://github.com/suzuki-shunsuke/release-js-action/blob/main/docs/available_versions.md)\n\n## Security\n\n\u003e - You don't need to pass a GitHub App private key having strong permissions to GitHub Actions workflows on the client side\n\u003e - You don't need to allow external services to access your code\n\u003e - You can define custom validation before creating a commit\n\u003e - Commits are verified (signed)\n\nClient workflows can use a Client GitHub App, but it has only `issues:write` permission.\nEven if the app is abused, the risk is low.\nServer action creates a commit to the same repository and branch with the GitHub Actions Artifact.\nSo it doesn't allow attackers to create a malicious commit to a different repository or a different branch.\n\n### How to manage a server GitHub App and a server workflow\n\nYou must protect a server GitHub App and a server workflow from attacks securely.\nThere are several ideas:\n\n- GitHub App Private Key:\n  - [Use GitHub Environment Secret](https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-deployments/managing-environments-for-deployment#deployment-protection-rules)\n    - Restrict the branch\n  - Use a secret manager such as AWS Secrets Manager and [restrict the access by OIDC claims (repository, event, branch, workflow, etc)](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect)\n- Server Workflow\n  - Restrict members having the write permission of the server repository\n    - For instance, grant the write permission to only system administrators\n\n### Custom Validation\n\nYou can insert custom validation between `prepare` action and `commit` action.\nYou can use [`prepare` action's outputs](docs/prepare.md#outputs).\n\n```yaml\n- uses: csm-actions/securefix-action@latest\n  id: prepare\n  with:\n    action: prepare\n    app_id: ${{ vars.DEMO_SERVER_APP_ID }}\n    app_private_key: ${{ secrets.DEMO_SERVER_PRIVATE_KEY }}\n# Custom Validation\n- if: fromJson(steps.prepare.outputs.pull_request).user.login != 'suzuki-shunsuke'\n  run: |\n    exit 1\n- uses: csm-actions/securefix-action@latest\n  with:\n    action: commit\n    outputs: ${{ toJson(steps.prepare.outputs) }}\n- uses: csm-actions/securefix-action@latest\n  if: failure()\n  with:\n    action: notify\n    outputs: ${{ toJson(steps.prepare.outputs) }}\n```\n\n## Troubleshooting\n\n- [Error: No matching entry found in the config for the given repository and branch.](docs/codes/001.md)\n\n### Client Workflow Name\n\nBy default, the client workflow name must be `securefix` for security.\nOtherwise, the prepare action fails.\n[You can change the workflow name or remove the restriction using prepare action's `workflow_name` input.](docs/prepare.md#optional-inputs)\n\n### How To Fix Workflow Files\n\nBy default, Serverfix Action doesn't allow you to fix workflow files for security.\nBy default, the server action fails if fixed files include workflow files.\n[You can allow it by setting prepare action's `allow_workflow_fix` to `true`.](docs/prepare.md#optional-inputs)\n\n### GitHub API Rate Limiting\n\nIf you use Server Action in many client repositories and face GitHub API limiting, you can avoid the rate limiting by creating new GitHub Apps and a server repository and splitting clients:\n\n![Image](https://github.com/user-attachments/assets/34551fb7-6471-4bf2-bea1-c6056c005330)\n\nReference:\n\n- [Rate Limit of REST API](https://docs.github.com/en/enterprise-cloud@latest/rest/using-the-rest-api/rate-limits-for-the-rest-api?apiVersion=2022-11-28)\n- [Rate Limit of GraphQL API](https://docs.github.com/en/enterprise-cloud@latest/graphql/overview/rate-limits-and-node-limits-for-the-graphql-api)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcsm-actions%2Fsecurefix-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcsm-actions%2Fsecurefix-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcsm-actions%2Fsecurefix-action/lists"}