{"id":15529790,"url":"https://github.com/mheap/pin-github-action","last_synced_at":"2025-10-05T16:53:22.806Z","repository":{"id":37742564,"uuid":"233875988","full_name":"mheap/pin-github-action","owner":"mheap","description":"Pin your GitHub actions to a specific hash","archived":false,"fork":false,"pushed_at":"2025-06-22T12:45:32.000Z","size":688,"stargazers_count":117,"open_issues_count":17,"forks_count":17,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-06-22T13:38:41.781Z","etag":null,"topics":["actions","cli","github","github-actions","security"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mheap.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-01-14T15:44:23.000Z","updated_at":"2025-06-22T12:45:34.000Z","dependencies_parsed_at":"2024-05-01T15:22:14.513Z","dependency_job_id":"5128783f-bd78-406b-96d8-3a7940029689","html_url":"https://github.com/mheap/pin-github-action","commit_stats":{"total_commits":58,"total_committers":3,"mean_commits":"19.333333333333332","dds":"0.15517241379310343","last_synced_commit":"8e271c1eb28e643569f502d4df589ce5d77add4e"},"previous_names":[],"tags_count":30,"template":false,"template_full_name":null,"purl":"pkg:github/mheap/pin-github-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mheap%2Fpin-github-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mheap%2Fpin-github-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mheap%2Fpin-github-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mheap%2Fpin-github-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mheap","download_url":"https://codeload.github.com/mheap/pin-github-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mheap%2Fpin-github-action/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278486278,"owners_count":25994941,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-05T02:00:06.059Z","response_time":54,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","cli","github","github-actions","security"],"created_at":"2024-10-02T11:19:55.972Z","updated_at":"2025-10-05T16:53:22.799Z","avatar_url":"https://github.com/mheap.png","language":"JavaScript","readme":"# pin-github-action\n\nThis is a tool that allows you to pin your GitHub actions dependencies to a\nspecific SHA without requiring that you update every action manually each time\nyou want to use a newer version of an action.\n\nIt achieves this by converting your workflow to use a specific commit hash,\nwhilst adding the original value as a comment on that line. This allows us to\nresolve newer SHAs for that target ref automatically in the future.\n\nIt converts this:\n\n```yaml\nname: Commit Push\non:\n  push:\n    branches:\n      - master\njobs:\n  build:\n    name: nexmo/github-actions/submodule-auto-pr@main\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@main\n      - name: nexmo/github-actions/submodule-auto-pr\n        uses: nexmo/github-actions/submodule-auto-pr@main\n```\n\nIn to this:\n\n```yaml\nname: Commit Push\non:\n  push:\n    branches:\n      - master\njobs:\n  build:\n    name: nexmo/github-actions/submodule-auto-pr@main\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@db41740e12847bb616a339b75eb9414e711417df # pin@main\n      - name: nexmo/github-actions/submodule-auto-pr\n        uses: nexmo/github-actions/submodule-auto-pr@73549280c1c566830040d9a01fe9050dae6a3036 # pin@main\n```\n\nFor more information, see [How it works](#how-it-works).\n\n## Installation\n\n### Nodejs\n\n```bash\nnpm install -g pin-github-action\n```\n\n### Docker\n\n```bash\nalias pin-github-action='docker run --rm -v $(pwd):/workflows -e GITHUB_TOKEN mheap/pin-github-action'\n```\n\n## Usage\n\nUse on single file:\n\n```bash\npin-github-action /path/to/.github/workflows/your-name.yml\n```\n\nUse on all YAML|YML files in a single directory:\n\n```bash\npin-github-action /path/to/.github/workflows/\n```\n\nUse on all YAML|YML files in directory tree:\n\n```bash\npin-github-action --recursive /path/to/.github/workflows/\n```\n\nIf you run the tool on a directory and want to continue processing when a single file fails, pass the `--continue-on-error` parameter:\n\n```bash\npin-github-action --continue-on-error /path/to/.github/workflows/\n```\n\nIf you use private actions (or are hitting rate limits), you'll need to provide\na GitHub access token:\n\n```bash\nGITHUB_TOKEN=\u003cyour-token-here\u003e pin-github-action /path/to/.github/workflows/your-name.yml\n```\n\nRun it as many times as you like! Each time you run the tool the exact SHA will\nbe updated to the latest available SHA for your pinned ref.\n\nIf you're having issues, run with debug logging enabled and open an issue:\n\n```bash\nDEBUG=\"pin-github-action*\" pin-github-action /path/to/.github/workflows/your-name.yml\n```\n\nYou can pass multiple files at once by adding additional files as arguments:\n\n```bash\npin-github-action first.yml second.yml\n```\n\nAnd you can mix directories with files:\n\n```bash\npin-github-action first.yml /path/to/.github/workflows/\n```\n\n## Leaving Actions unpinned\n\nTo leave an action unpinned, pass the `--allow` option when running `pin-github-action`.\n\nRunning `pin-github-action /path/to/.github/workflows/your-name.yml --allow \"actions/*\"` will turn this:\n\n```yaml\njobs:\n  build:\n    name: nexmo/github-actions/submodule-auto-pr@main\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@main\n      - uses: nexmo/github-actions/submodule-auto-pr@main\n```\n\nInto this (notice how `actions/checkout@main` is ignored):\n\n```yaml\njobs:\n  build:\n    name: nexmo/github-actions/submodule-auto-pr@main\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@main\n      - name: nexmo/github-actions/submodule-auto-pr\n        uses: nexmo/github-actions/submodule-auto-pr@73549280c1c566830040d9a01fe9050dae6a3036 # pin@main\n```\n\nYou can pass multiple actions to allow as a comma separated list e.g. `actions/checkout,mheap/*`\n\nA quick overview of the available globbing patterns (taken from [multimatch](https://github.com/sindresorhus/multimatch), which we use to match globs):\n\n- `*` matches any number of characters, but not `/`\n- `?` matches a single character, but not `/`\n- `**` matches any number of characters, including `/`, as long as it's the only thing in a path part\n- `{}` allows for a comma-separated list of \"or\" expressions\n- `!` at the beginning of a pattern will negate the match\n\nExamples:\n\n- Exact match: `actions/checkout`\n- Partial match: `actions/*`\n- Negated match: `!actions/*` (will only pin `actions/*` actions)\n\n## Enforcing that all actions are pinned\n\nYou can use [ensure-sha-pinned-actions](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions) to fail the build if any workflows contain an unpinned action.\n\nTo enable this, pass the `--enforce` flag containing a workflow name to create:\n\n```bash\npin-github-action --enforce .github/workflows/security.yaml .github/workflows\n```\n\nIf you specify the `--allow` flag, these actions will be added to the `allowlist` in the `ensure-sha-pinned-actions` action too.\n\n## Customising the {ref} comment\n\nYou can specify a comment containing the `{ref}` placeholder to customise the comment added.\n\n```bash\npin-github-action -c \" pin@{ref}\" /path/to/workflow.yaml\n```\n\n## How it works\n\n- Load the workflow file provided\n- Tokenise it in to an AST\n- Extract all `uses` steps, skipping any `docker://` or `./local-path` actions\n- Loop through all `uses` steps to determine the target ref\n  - If there's a comment in the step, remove `pin@` and use that as the target\n  - Otherwise, fall back to the ref in the action as the default\n- Look up the current SHA for each repo on GitHub and update the action to use the specific hash\n  - If needed, add a comment with the target pinned version\n- Write the workflow file with the new pinned version and original target version as a comment\n\n## Contributing\n\n1. **Run tests**: Ensure all tests pass before submitting your changes.\n\n```bash\nnpm install\nnpm test\n```\n\n2. **Build and test locally using Docker**: You can build a container and test the application locally.\n\n```bash\ndocker build -t pin-github-action .\ndocker run --rm -v $(pwd):/workflows -e GITHUB_TOKEN=\u003cyour-token-here\u003e pin-github-action /path/to/.github/workflows/your-name.yml\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmheap%2Fpin-github-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmheap%2Fpin-github-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmheap%2Fpin-github-action/lists"}