{"id":50834873,"url":"https://github.com/jclem/gh-actions-versions","last_synced_at":"2026-06-14T02:31:26.248Z","repository":{"id":339871113,"uuid":"1078845302","full_name":"jclem/gh-actions-versions","owner":"jclem","description":null,"archived":false,"fork":false,"pushed_at":"2026-02-22T00:33:02.000Z","size":21,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-22T08:40:36.598Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jclem.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2025-10-18T14:48:23.000Z","updated_at":"2026-02-22T00:32:47.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/jclem/gh-actions-versions","commit_stats":null,"previous_names":["jclem/gh-actions-versions"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/jclem/gh-actions-versions","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jclem%2Fgh-actions-versions","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jclem%2Fgh-actions-versions/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jclem%2Fgh-actions-versions/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jclem%2Fgh-actions-versions/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jclem","download_url":"https://codeload.github.com/jclem/gh-actions-versions/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jclem%2Fgh-actions-versions/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34307683,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-14T02:00:07.365Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-06-14T02:31:25.114Z","updated_at":"2026-06-14T02:31:26.242Z","avatar_url":"https://github.com/jclem.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# gh-actions-versions\n\n`gh-actions-versions` is a GitHub CLI extension that inspects workflows and\ncomposite actions to ensure every external action reference is pinned to an\nexact commit SHA that matches the intended release tag. It also helps keep\nthose pins up to date in bulk.\n\n## Installation\n\n```bash\ngh extension install jclem/gh-actions-versions\n```\n\nThe command above installs precompiled binaries when a tagged release exists.\nIf no release is available yet, GitHub CLI falls back to the source launcher\nscript in this repo, which builds the extension locally on first run and\nrequires `go` to be installed.\n\nLocal development can run the extension via `go run .` from the repository\nroot.\n\n## Releasing\n\nThis repo publishes installable extension artifacts from tags that match `v*`.\n\n```bash\ngit tag v0.1.0\ngit push origin v0.1.0\n```\n\nPushing the tag triggers `.github/workflows/release.yml`, which runs\n`cli/gh-extension-precompile` and attaches platform-specific binaries to the\nGitHub release. After that, `gh extension install jclem/gh-actions-versions`\nworks without a local Go toolchain.\n\n## Commands\n\n| Command | Description |\n| --- | --- |\n| `gh actions-versions verify` | Validate that each `uses:` entry is pinned to a 40-char SHA and matches the tagged version comment. |\n| `gh actions-versions fix` | Resolve tag comments to SHAs and rewrite the workflow to match (leaves untouched items that already align). |\n| `gh actions-versions upgrade [owner/repo] [--version TAG]` | Re-pin every reference of an action to the latest release (or a specific tag). Use `--all` to upgrade every action. |\n| `gh actions-versions update [owner/repo]` | Refresh commits using the existing version comment as the constraint (e.g., latest `v2.x`). Supports `--all`. |\n\nEach command scans `.github/workflows/` and composite actions under\n`.github/actions/`.\n\n## Example\n\nThe `fix` command transforms unpinned action references into secure,\nversion-pinned SHAs:\n\n**Before:**\n```yaml\n- uses: actions/checkout@v5\n```\n\n**After:**\n```yaml\n- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5\n```\n\nThe SHA corresponds to the commit for the specified version tag, and the\ncomment preserves the human-readable version for maintainability.\n\n## Version Resolution\n\nVersion comments such as `# v2`, `# v2.1`, or `# v2.1.3` determine which\nrelease stream to follow when pinning. The resolver walks releases (and then\ntags) via the GitHub API, dereferencing annotated tags until it finds the\ncommit. Tags with major/minor specs always resolve to the newest matching\nrelease.\n\n## Development Workflow\n\n```bash\ngo build ./...   # Compile the extension\ngo test  ./...   # Run unit tests with mocked GitHub API calls\ngo run   . fix   # Execute a command against the current repo\n```\n\nThe repository relies on `gofmt` for code formatting—run it before committing.\n\n## Testing\n\n`main_test.go` contains comprehensive unit coverage for the resolver and\ncommand flows. Tests use an in-memory mock REST client, so no real network\naccess is needed. Add new tests alongside features and ensure `go test ./...`\npasses before opening a pull request.\n\n## Contributing\n\nWhen contributing:\n\n- Use imperative, descriptive commit messages (e.g., “Add update command for\nversion specs”).\n- Document behavioral changes in pull request descriptions and include sample\nCLI output (`go test ./...`, `gh actions-versions verify`, etc.).\n- Keep workflow examples in `testdata/sample/.github/workflows/` up to date to\ndemonstrate current expectations.\n\nRefer to `AGENTS.md` for deeper contributor guidance. Contributions and issue\nreports are welcome!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjclem%2Fgh-actions-versions","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjclem%2Fgh-actions-versions","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjclem%2Fgh-actions-versions/lists"}