{"id":27260275,"url":"https://github.com/eclipse-csi/octopin","last_synced_at":"2025-10-14T00:09:08.503Z","repository":{"id":235907130,"uuid":"791508435","full_name":"eclipse-csi/octopin","owner":"eclipse-csi","description":"Analyses and pins GitHub actions in your workflows.","archived":false,"fork":false,"pushed_at":"2025-09-15T19:15:28.000Z","size":113,"stargazers_count":1,"open_issues_count":7,"forks_count":3,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-09-24T22:52:15.117Z","etag":null,"topics":["github-actions","python","security","supply-chain"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"epl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/eclipse-csi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"docs/contributing.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-04-24T20:59:54.000Z","updated_at":"2025-06-24T06:51:28.000Z","dependencies_parsed_at":"2024-04-24T21:45:35.425Z","dependency_job_id":"6f436ea0-7367-429f-ae5f-83da443de698","html_url":"https://github.com/eclipse-csi/octopin","commit_stats":null,"previous_names":["eclipse-csi/octopin"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/eclipse-csi/octopin","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eclipse-csi%2Foctopin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eclipse-csi%2Foctopin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eclipse-csi%2Foctopin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eclipse-csi%2Foctopin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/eclipse-csi","download_url":"https://codeload.github.com/eclipse-csi/octopin/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eclipse-csi%2Foctopin/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279017381,"owners_count":26086052,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-13T02:00:06.723Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github-actions","python","security","supply-chain"],"created_at":"2025-04-11T04:43:57.800Z","updated_at":"2025-10-14T00:09:08.498Z","avatar_url":"https://github.com/eclipse-csi.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003e\n\n\u003ca href=\"https://octopin.readthedocs.org\"\u003e\n  \u003cimg style=\"width: 150px;\" src=\"https://raw.githubusercontent.com/eclipse-csi/.github/refs/heads/main/artwork/eclipse-csi/logo-emblem/500x500%20Transparent.png\"\u003e\n\u003c/a\u003e\n\n\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://pypi.org/project/octopin\"\u003e\u003cimg alt=\"PyPI\" src=\"https://img.shields.io/pypi/v/octopin.svg?color=blue\u0026maxAge=600\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://pypi.org/project/octopin\"\u003e\u003cimg alt=\"PyPI - Python Versions\" src=\"https://img.shields.io/pypi/pyversions/octopin.svg?maxAge=600\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/eclipse-csi/octopin/blob/main/LICENSE\"\u003e\u003cimg alt=\"EPLv2 License\" src=\"https://img.shields.io/github/license/eclipse-csi/octopin\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/eclipse-csi/octopin/actions/workflows/build.yml?query=branch%3Amain\"\u003e\u003cimg alt=\"Build Status on GitHub\" src=\"https://github.com/eclipse-csi/octopin/actions/workflows/build.yml/badge.svg?branch:main\u0026workflow:Build\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://octopin.readthedocs.io\"\u003e\u003cimg alt=\"Documentation Status\" src=\"https://readthedocs.org/projects/octopin/badge/?version=latest\" /\u003e\u003c/a\u003e\u003cbr\u003e\n  \u003ca href=\"https://scorecard.dev/viewer/?uri=github.com/eclipse-csi/octopin\"\u003e\u003cimg alt=\"OpenSSF Scorecard\" src=\"https://api.securityscorecards.dev/projects/github.com/eclipse-csi/octopin/badge\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://slsa.dev\"\u003e\u003cimg alt=\"OpenSSF SLSA Level 3\" src=\"https://slsa.dev/images/gh-badge-level3.svg\" /\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n# Eclipse Octopin\n\nAnalyses and pins GitHub actions in your workflows.\n\nThis tool pins your GitHub Action versions to use the SHA-1 hash\ninstead of tag to improve security as Git tags are not immutable.\n\nConverts `uses: aws-actions/configure-aws-credentials@v1.7.0` to\n`uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0`\n\n## Skipping actions\n\nTo skip a specific action from being pinned, you can add a comment `pinning: ignore`.\n\nExample using the generic SLSA generator action which *MUST* be [referenced](https://github.com/slsa-framework/slsa-github-generator?tab=readme-ov-file#referencing-slsa-builders-and-generators) by a tag rather than a commit hash:\n\n```yaml\nprovenance:\n    needs: ['prepare', 'build-dist']\n    permissions:\n      actions: read\n      contents: write\n      id-token: write # Needed to access the workflow's OIDC identity.\n    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 # pinning: ignore\n    with:\n      base64-subjects: \"${{ needs.build-dist.outputs.hashes }}\"\n      upload-assets: true\n```\n\n## pre-commit hook\n\nThis repo provides a pre-commit hook to run `octopin pin`. Add the following\nsnippet to your `.pre-commit-config.yaml` to use.\n\n```yaml\n- repo: https://github.com/eclipse-csi/octopin\n  rev: main  # Recommended to pin to a tagged released\n  hooks:\n  - id: pin-versions\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feclipse-csi%2Foctopin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Feclipse-csi%2Foctopin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feclipse-csi%2Foctopin/lists"}