{"id":19584842,"url":"https://github.com/flex-development/gh-commit","last_synced_at":"2026-05-12T22:39:17.826Z","repository":{"id":204569088,"uuid":"712136400","full_name":"flex-development/gh-commit","owner":"flex-development","description":"Create commits with the GitHub API","archived":false,"fork":false,"pushed_at":"2024-04-29T12:32:19.000Z","size":4936,"stargazers_count":1,"open_issues_count":11,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-05-01T09:40:37.114Z","etag":null,"topics":["commit","commit-action","github-action","github-api","graphql","typescript"],"latest_commit_sha":null,"homepage":"https://github.com/flex-development/gh-commit","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/flex-development.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":".github/funding.yml","license":"LICENSE.md","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":["flex-development"]}},"created_at":"2023-10-30T21:35:29.000Z","updated_at":"2024-05-03T14:30:45.232Z","dependencies_parsed_at":"2023-12-01T14:13:31.802Z","dependency_job_id":"7e7999fa-8a27-470c-8375-5b03d602b4c1","html_url":"https://github.com/flex-development/gh-commit","commit_stats":null,"previous_names":["flex-development/commit-action","flex-development/gh-commit"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/flex-development/gh-commit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flex-development%2Fgh-commit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flex-development%2Fgh-commit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flex-development%2Fgh-commit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flex-development%2Fgh-commit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/flex-development","download_url":"https://codeload.github.com/flex-development/gh-commit/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flex-development%2Fgh-commit/sbom","scorecard":{"id":403117,"data":{"date":"2025-08-11","repo":{"name":"github.com/flex-development/gh-commit","commit":"4537f495676319d018585417f18764cd9333232b"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2,"checks":[{"name":"Code-Review","score":-1,"reason":"Found no human activity in the last 30 changesets","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":0,"reason":"dangerous workflow patterns detected","details":["Warn: script injection with untrusted input ' github.event.head_commit.message ': .github/workflows/release-chore.yml:79"],"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: jobLevel 'contents' permission set to 'write': .github/workflows/ci.yml:292","Info: jobLevel 'packages' permission set to 'read': .github/workflows/release-chore.yml:123","Info: jobLevel 'contents' permission set to 'read': .github/workflows/release.yml:48","Warn: no topLevel permission defined: .github/workflows/add-to-project.yml:1","Warn: no topLevel permission defined: .github/workflows/auto-merge.yml:1","Warn: no topLevel permission defined: .github/workflows/auto-review.yml:1","Warn: topLevel 'actions' permission set to 'write': .github/workflows/cache-cleanup.yml:32","Info: topLevel 'packages' permission set to 'read': .github/workflows/ci.yml:39","Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:38","Info: topLevel 'packages' permission set to 'read': .github/workflows/dependabot-rebuild.yml:31","Warn: no topLevel permission defined: .github/workflows/infrastructure.yml:1","Info: topLevel 'packages' permission set to 'read': .github/workflows/integrity.yml:33","Warn: no topLevel permission defined: .github/workflows/release-chore.yml:1","Warn: no topLevel permission defined: .github/workflows/release.yml:1"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE.md:0","Info: FSF or OSI recognized license: BSD 3-Clause \"New\" or \"Revised\" License: LICENSE.md:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact 1.0.0 not signed: https://api.github.com/repos/flex-development/gh-commit/releases/128022783","Warn: release artifact 1.0.0 does not have provenance: https://api.github.com/repos/flex-development/gh-commit/releases/128022783"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Info: Possibly incomplete results: error parsing shell code: invalid parameter name: .github/workflows/release-chore.yml:188","Info: Possibly incomplete results: error parsing shell code: invalid parameter name: .github/workflows/release.yml:71","Warn: third-party GitHubAction not pinned by hash: .github/workflows/add-to-project.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/add-to-project.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/add-to-project.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/add-to-project.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/add-to-project.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/add-to-project.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/auto-merge.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/auto-merge.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/auto-merge.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/auto-merge.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/auto-merge.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/auto-merge.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/auto-review.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/auto-review.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/auto-review.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/auto-review.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/auto-review.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/auto-review.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/auto-review.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/auto-review.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/cache-cleanup.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/cache-cleanup.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cache-cleanup.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/cache-cleanup.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:105: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:112: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:119: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:158: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:164: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:171: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:216: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:222: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:229: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:74: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:89: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:133: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:140: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:187: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:193: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:200: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:250: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:256: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:262: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:270: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:302: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:307: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:313: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:322: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:333: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:363: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:369: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:376: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:388: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:409: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:416: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:423: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/dependabot-rebuild.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/dependabot-rebuild.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dependabot-rebuild.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/dependabot-rebuild.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dependabot-rebuild.yml:56: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/dependabot-rebuild.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dependabot-rebuild.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/dependabot-rebuild.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/infrastructure.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/infrastructure.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/infrastructure.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/infrastructure.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/infrastructure.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/infrastructure.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/infrastructure.yml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/infrastructure.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integrity.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/integrity.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/label-linked-issues.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/label-linked-issues.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/label-linked-issues.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/label-linked-issues.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/label-linked-issues.yml:56: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/label-linked-issues.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/label-linked-issues.yml:82: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/label-linked-issues.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/lock-inactive-threads.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/lock-inactive-threads.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/no-response.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/no-response.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-chore.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/release-chore.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-chore.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/release-chore.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-chore.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/release-chore.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-chore.yml:103: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/release-chore.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-chore.yml:109: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/release-chore.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-chore.yml:130: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/release-chore.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-chore.yml:136: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/release-chore.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-chore.yml:152: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/release-chore.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-chore.yml:199: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/release-chore.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-chore.yml:205: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/release-chore.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:75: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:92: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:134: update your workflow using https://app.stepsecurity.io/secureworkflow/flex-development/gh-commit/release.yml/main?enable=pin","Info:   0 out of  54 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of  23 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Branch-Protection","score":8,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'","Info: 'stale review dismissal' is required to merge on branch 'main'","Warn: required approving review count is 1 on branch 'main'","Warn: codeowners review is not required on branch 'main'","Info: 'last push approval' is required to merge on branch 'main'","Info: 'up-to-date branches' is required to merge on branch 'main'","Info: status check found to merge onto on branch 'main'","Info: PRs are required in order to make changes on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"26 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-cj7v-w2c7-cp7c","Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q","Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38","Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg","Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x","Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275","Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99","Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp","Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv","Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55","Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j","Warn: Project is vulnerable to: GHSA-gcx4-mw62-g8wm","Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36","Warn: Project is vulnerable to: GHSA-c76h-2ccp-4975","Warn: Project is vulnerable to: GHSA-cxrh-j4jr-qwg3","Warn: Project is vulnerable to: GHSA-64vr-g452-qvp3","Warn: Project is vulnerable to: GHSA-9cwx-2883-4wfx","Warn: Project is vulnerable to: GHSA-vg6x-rcgg-rjx6","Warn: Project is vulnerable to: GHSA-x574-m823-4x7w","Warn: Project is vulnerable to: GHSA-4r4m-qw57-chr8","Warn: Project is vulnerable to: GHSA-xcj6-pq6g-qj4x","Warn: Project is vulnerable to: GHSA-356w-63v5-8wf4","Warn: Project is vulnerable to: GHSA-859w-5945-r5v3","Warn: Project is vulnerable to: GHSA-9crc-q9x8-hgqq"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-18T20:33:00.298Z","repository_id":204569088,"created_at":"2025-08-18T20:33:00.298Z","updated_at":"2025-08-18T20:33:00.298Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32960295,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-12T09:19:52.626Z","status":"ssl_error","status_checked_at":"2026-05-12T09:17:33.438Z","response_time":102,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["commit","commit-action","github-action","github-api","graphql","typescript"],"created_at":"2024-11-11T07:50:26.946Z","updated_at":"2026-05-12T22:39:17.797Z","avatar_url":"https://github.com/flex-development.png","language":"TypeScript","funding_links":["https://github.com/sponsors/flex-development"],"categories":[],"sub_categories":[],"readme":"# :white_check_mark: gh-commit\n\n[![github release](https://img.shields.io/github/v/release/flex-development/gh-commit.svg?include_prereleases\u0026sort=semver)](https://github.com/flex-development/gh-commit/releases/latest)\n[![github marketplace](https://img.shields.io/badge/marketplace-gh--commit-blue?logo=github)](https://github.com/marketplace/actions/gh-commit)\n[![codecov](https://codecov.io/gh/flex-development/gh-commit/branch/main/graph/badge.svg?token=)](https://codecov.io/gh/flex-development/gh-commit)\n[![module type: esm](https://img.shields.io/badge/module%20type-esm-brightgreen)](https://github.com/voxpelli/badges-cjs-esm)\n[![sponsor](https://img.shields.io/badge/sponsor-flex--development-blue.svg?logo=github)](https://github.com/sponsors/flex-development)\n[![license](https://img.shields.io/github/license/flex-development/gh-commit.svg)](LICENSE.md)\n[![conventional commits](https://img.shields.io/badge/-conventional%20commits-fe5196?logo=conventional-commits\u0026logoColor=ffffff)](https://conventionalcommits.org/)\n[![typescript](https://img.shields.io/badge/-typescript-3178c6?logo=typescript\u0026logoColor=ffffff)](https://typescriptlang.org/)\n[![vitest](https://img.shields.io/badge/-vitest-6e9f18?style=flat\u0026logo=vitest\u0026logoColor=ffffff)](https://vitest.dev/)\n[![yarn](https://img.shields.io/badge/-yarn-2c8ebb?style=flat\u0026logo=yarn\u0026logoColor=ffffff)](https://yarnpkg.com/)\n\nCreate commits with the [GitHub API][1]\n\n## Contents\n\n- [What is this?](#what-is-this)\n- [Use](#use)\n  - [Example Workflow](#example-workflow)\n  - [Inputs](#inputs)\n    - [`api`](#api)\n    - [`files`](#files)\n    - [`message`](#message)\n    - [`owner`](#owner)\n    - [`ref`](#ref)\n    - [`repo`](#repo)\n    - [`token`](#token)\n      - [Required Permissions](#required-permissions)\n    - [`trailers`](#trailers)\n    - [`workspace`](#workspace)\n  - [Outputs](#outputs)\n    - [`sha`](#sha)\n\n## What is this?\n\nCreate commits with GitHub Actions via the [GitHub GraphQL API][1].\n\nCommits made using this action are automatically signed by GitHub if supported and marked as verified in the user\ninterface.\n\n![commit.png](./commit.png)\n\n## Use\n\n### Example Workflow\n\n```yaml\n# Release Chore\n#\n# Execute branch, version bump, changelog, and pull request operations on release chore commit.\n#\n# References:\n#\n# - https://docs.github.com/actions/learn-github-actions/contexts\n# - https://docs.github.com/actions/learn-github-actions/expressions\n# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#push\n# - https://docs.github.com/actions/using-workflows/using-github-cli-in-workflows\n# - https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions\n# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#push\n# - https://github.com/actions/checkout\n# - https://github.com/actions/create-github-app-token\n# - https://github.com/actions/github-script\n# - https://github.com/flex-development/grease\n# - https://github.com/hmarr/debug-action\n# - https://github.com/kaisugi/action-regex-match\n# - https://regex101.com/r/OwpOr2\n# - https://regex101.com/r/VIIVGd\n\n---\nname: release-chore\non:\n  push:\n    branches:\n      - main\nconcurrency:\n  cancel-in-progress: true\n  group: ${{ github.workflow }}-${{ github.ref }}\njobs:\n  preflight:\n    if: startsWith(github.event.head_commit.message, 'release(chore):')\n    runs-on: ubuntu-latest\n    outputs:\n      branch: ${{ steps.branch.outputs.result }}\n      message: ${{ steps.message.outputs.result }}\n      tag: ${{ steps.tag.outputs.result }}\n      version: ${{ steps.version.outputs.match }}\n    steps:\n      - id: debug\n        name: Print environment variables and event payload\n        uses: hmarr/debug-action@v2.1.0\n      - id: fail-actor\n        if: contains(vars.MAINTAINERS, github.actor) == false\n        name: Fail on unauthorized actor\n        run: |\n          echo '**Unauthorized actor: ${{ github.actor }}**' \u003e\u003e$GITHUB_STEP_SUMMARY\n          exit 1\n      - id: checkout\n        name: Checkout ${{ github.ref_name }}\n        uses: actions/checkout@v4.1.1\n        with:\n          persist-credentials: false\n          ref: ${{ github.ref }}\n      - id: version\n        name: Get release version\n        uses: kaisugi/action-regex-match@v1.0.0\n        with:\n          regex: ${{ vars.RELEASE_CHORE_REGEX }}\n          text: ${{ github.event.head_commit.message }}\n      - id: fail-version\n        if: steps.version.outputs.match == ''\n        name: Fail on invalid release version\n        run: |\n          ERR='**Invalid release chore commit: `${{ github.event.head_commit.message }}`**\n          Message must match [`${{ vars.RELEASE_CHORE_REGEX }}`](https://regex101.com/r/OwpOr2)'\n          echo \"$ERR\" \u003e\u003e$GITHUB_STEP_SUMMARY\n          exit 1\n      - id: tag\n        name: Get release tag\n        run: |\n          echo \"result=$(jq .tagprefix grease.config.json -r)${{ steps.version.outputs.match }}\" \u003e\u003e$GITHUB_OUTPUT\n      - id: message\n        name: Get release message\n        run: 'echo \"result=release: ${{ steps.tag.outputs.result }}\" \u003e\u003e$GITHUB_OUTPUT'\n      - id: branch\n        name: Get release branch name\n        run: echo \"result=release/${{ steps.version.outputs.match }}\" \u003e\u003e$GITHUB_OUTPUT\n  branch:\n    needs: preflight\n    runs-on: ubuntu-latest\n    steps:\n      - id: bot-token\n        name: Get bot token\n        uses: actions/create-github-app-token@v1.5.1\n        with:\n          app-id: ${{ secrets.BOT_APP_ID }}\n          private-key: ${{ secrets.BOT_PRIVATE_KEY }}\n      - id: checkout\n        name: Checkout ${{ github.ref_name }}\n        uses: actions/checkout@v4.1.1\n        with:\n          ref: ${{ github.ref }}\n          token: ${{ steps.bot-token.outputs.token }}\n      - id: branch\n        name: Create and push branch ${{ needs.preflight.outputs.branch }}\n        run: |\n          git branch ${{ needs.preflight.outputs.branch }}\n          git push origin --no-verify ${{ needs.preflight.outputs.branch }}\n  prepare:\n    needs:\n      - branch\n      - preflight\n    permissions:\n      packages: read\n    runs-on: ubuntu-latest\n    env:\n      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n    steps:\n      - id: bot-token\n        name: Get bot token\n        uses: actions/create-github-app-token@v1.5.1\n        with:\n          app-id: ${{ secrets.BOT_APP_ID }}\n          private-key: ${{ secrets.BOT_PRIVATE_KEY }}\n      - id: checkout\n        name: Checkout ${{ needs.preflight.outputs.branch }}\n        uses: actions/checkout@v4.1.1\n        with:\n          fetch-depth: 0\n          persist-credentials: false\n          ref: ${{ needs.preflight.outputs.branch }}\n          token: ${{ steps.bot-token.outputs.token }}\n      - id: yarn\n        name: Install dependencies\n        env:\n          HUSKY: 0\n        run: yarn \u0026\u0026 echo \"$GITHUB_WORKSPACE/node_modules/.bin\" \u003e\u003e$GITHUB_PATH\n      - id: build\n        name: Build project\n        env:\n          NODE_NO_WARNINGS: 1\n        run: yarn build\n      - id: bump-manifest\n        name: Bump manifest version to ${{ needs.preflight.outputs.version }}\n        run: grease bump -w ${{ needs.preflight.outputs.version }}\n      - id: bump-readme\n        name: Bump README version to ${{ needs.preflight.outputs.version }}\n        uses: actions/github-script@v6.4.1\n        with:\n          github-token: ${{ steps.bot-token.outputs.token }}\n          script: |\n            const fs = require('fs')\n\n            const path = 'README.md'\n            const regex = new RegExp('${{ vars.README_ACTION_VERSION_REGEX }}')\n\n            let content = fs.readFileSync(path, 'utf8')\n            content = content.replace(regex, '${{ needs.preflight.outputs.version }}')\n\n            fs.writeFileSync(path, content)\n            process.stdout.write(content)\n      - id: changelog\n        name: Add CHANGELOG entry for ${{ needs.preflight.outputs.tag }}\n        env:\n          TZ: ${{ vars.TZ }}\n        run: |\n          echo \"$(grease changelog)\" \u003e\u003e$GITHUB_STEP_SUMMARY\n          grease changelog -sw\n      - id: commit\n        name: Commit and push release preparation\n        uses: flex-development/gh-commit@1.0.0\n        with:\n          message: ${{ needs.preflight.outputs.message }}\n          ref: ${{ needs.preflight.outputs.branch }}\n          token: ${{ steps.bot-token.outputs.token }}\n          trailers: 'Signed-off-by: ${{ vars.BOT_NAME }} \u003c${{ vars.BOT_EMAIL }}\u003e'\n      - id: commit-url\n        name: Print commit url\n        run: echo ${{ format('{0}/{1}/commit/{2}', github.server_url, github.repository, steps.commit.outputs.sha) }}\n```\n\n\u003e See [`release-chore.yml`](.github/workflows/release-chore.yml) for a more robust example.\n\n### Inputs\n\n#### `api`\n\n\u003e default: `${{ github.api_url }}`\\\n\u003e required: `false`\n\nBase URL of GitHub API.\n\n#### `files`\n\n\u003e required: `false`\n\nNewline-delimited list of changed file filters.\n\nEach filter should be a file path relative to [`workspace`](#workspace).\n\nAll detected changes will be committed if file filters are not provided.\n\nFiles will be checked against `git status --porcelain --untracked-files`.\n\n#### `message`\n\n\u003e required: `true`\n\nCommit header and body without trailers.\n\n#### `owner`\n\n\u003e default: `${{ github.repository_owner }}`\\\n\u003e required: `false`\n\nRepository owner.\n\n#### `ref`\n\n\u003e default: `${{ github.event.workflow_run.head_branch || github.head_ref || github.ref }}`\\\n\u003e required: `false`\n\nName of branch to push commit to.\n\n#### `repo`\n\n\u003e default: `${{ github.event.repository.name }}`\\\n\u003e required: `false`\n\nRepository name.\n\n#### `token`\n\n\u003e default: `${{ github.token }}`\\\n\u003e required: `false`\n\nPersonal access token (PAT) used to authenticate GitHub API requests.\n\n##### [Required Permissions][2]\n\n- `contents:write`\n\n#### `trailers`\n\n\u003e required: `false`\n\nNewline-delimited list of git trailers.\n\n#### `workspace`\n\n\u003e default: `${{ github.workspace }}`\\\n\u003e required: `false`\n\nPath to current working directory.\n\n### Outputs\n\n#### `sha`\n\nSHA of created commit, or an empty string if a commit was not created.\n\n[1]: https://docs.github.com/graphql/reference/mutations#createcommitonbranch\n[2]: https://docs.github.com/actions/using-jobs/assigning-permissions-to-jobs\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflex-development%2Fgh-commit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fflex-development%2Fgh-commit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflex-development%2Fgh-commit/lists"}