{"id":27972748,"url":"https://github.com/datosh/pinned-actions","last_synced_at":"2025-05-07T23:19:34.743Z","repository":{"id":239997525,"uuid":"798733499","full_name":"datosh/pinned-actions","owner":"datosh","description":"How many GitHub repositories actually pin by hash?","archived":false,"fork":false,"pushed_at":"2024-06-13T07:23:15.000Z","size":275,"stargazers_count":8,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-06-13T10:27:02.796Z","etag":null,"topics":["github-actions","security","supply-chain-security"],"latest_commit_sha":null,"homepage":"https://pin-gh-actions.kammel.dev/","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/datosh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-05-10T11:01:51.000Z","updated_at":"2024-06-13T07:23:36.000Z","dependencies_parsed_at":"2024-06-13T10:02:40.120Z","dependency_job_id":"929214f1-df63-4937-8b83-bf398b2d57f2","html_url":"https://github.com/datosh/pinned-actions","commit_stats":null,"previous_names":["datosh/pinned-actions"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/datosh%2Fpinned-actions","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/datosh%2Fpinned-actions/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/datosh%2Fpinned-actions/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/datosh%2Fpinned-actions/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/datosh","download_url":"https://codeload.github.com/datosh/pinned-actions/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252968508,"owners_count":21833309,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github-actions","security","supply-chain-security"],"created_at":"2025-05-07T23:19:34.169Z","updated_at":"2025-05-07T23:19:34.734Z","avatar_url":"https://github.com/datosh.png","language":"HTML","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Pinned Actions\n\nWhile researching GitHub Actions for a talk, I asked myself: \"How many repositories use GitHub Actions via pin-by-hash?\". As I was unable to find a tool that could answer this question, I decided to build one myself.\n\nThe results are published at: [http://pin-gh-actions.kammel.dev/](http://pin-gh-actions.kammel.dev/)\n\n## Usage\n\n```sh\n$ go run . --help\nUsage of GH Pinned Actions:\n  -download-dir string\n        path to folder where repositories will be downloaded (default \"/tmp/pinned\")\n  -max-pages int\n        maximum number of pages to download (default 1)\n  -per-page int\n        number of repositories to download per page (default 100)\n```\n\n## Example\n\nTo replicate the results for 10,000 repositories, run:\n\n```sh\ngo run . -max-pages 100\n```\n\n\u003e [!NOTE]\n\u003e The default download directory is `/tmp/pinned`. You can change it with the `--download-dir` flag.\n\n\u003e [!WARNING]\n\u003e Downloading 10,000 repositories will take a long time (depending on your internet connection) and **consume about 1.5TB of disk space**.\n\n## Architecture\n\nNotes about the chosen libraries and APIs.\n\n### GitHub Search API\n\nWe use the public GitHub [repository search API](https://docs.github.com/en/rest/search/search?apiVersion=2022-11-28#search-repositories) to request [the most popular repositories by stars](https://github.com/search?q=stars%3A10000..500000\u0026type=repositories\u0026ref=advsearch\u0026s=stars\u0026o=desc). Although the search API support pagination, it has a limit of 100 results per page, and additionally [a limit of 1000 results per search](https://docs.github.com/en/rest/search/search?apiVersion=2022-11-28#about-search).\n\nTo get around this limitation, we modify the search query after each request, and only use the first page returned.\n\n### go-git\n\nAlthough `go-git` was the initial choice to clone the repositories, it was later replaced by `os/exec` and `git` due to performance limitations of the library. See [linux-fetcher](./linux-fetcher/README.md).\n\n### Parsing Actions\n\n[stacklok/frizbee](https://github.com/stacklok/frizbee/tree/main/pkg/ghactions) already provides all the necessary tools to parse GitHub Actions. We use this library to parse the actions from the repositories.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdatosh%2Fpinned-actions","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdatosh%2Fpinned-actions","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdatosh%2Fpinned-actions/lists"}