{"id":40892158,"url":"https://github.com/staticaland/pin-github-actions","last_synced_at":"2026-01-22T02:09:34.492Z","repository":{"id":308784180,"uuid":"1034023751","full_name":"staticaland/pin-github-actions","owner":"staticaland","description":"CLI to pin GitHub Actions in workflow files to immutable commit SHAs.","archived":false,"fork":false,"pushed_at":"2025-11-10T01:37:55.000Z","size":11467,"stargazers_count":2,"open_issues_count":16,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-01-19T11:38:38.846Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/staticaland.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-08-07T18:04:38.000Z","updated_at":"2025-12-02T13:20:17.000Z","dependencies_parsed_at":"2025-08-07T22:21:54.422Z","dependency_job_id":"4fbdf125-a9f5-4dfe-83b3-7130957eadc3","html_url":"https://github.com/staticaland/pin-github-actions","commit_stats":null,"previous_names":["staticaland/pin-github-actions"],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/staticaland/pin-github-actions","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/staticaland%2Fpin-github-actions","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/staticaland%2Fpin-github-actions/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/staticaland%2Fpin-github-actions/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/staticaland%2Fpin-github-actions/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/staticaland","download_url":"https://codeload.github.com/staticaland/pin-github-actions/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/staticaland%2Fpin-github-actions/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28650868,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-22T01:17:37.254Z","status":"online","status_checked_at":"2026-01-22T02:00:07.137Z","response_time":144,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-22T02:09:33.669Z","updated_at":"2026-01-22T02:09:34.480Z","avatar_url":"https://github.com/staticaland.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# pin-github-actions\n\nCLI to pin GitHub Actions in workflow files to immutable commit SHAs.\n\n## Installation\n\n### Homebrew (macOS/Linux)\n\nFirst, tap the repository:\n\n```bash\nbrew tap staticaland/pin-github-actions https://github.com/staticaland/pin-github-actions\n```\n\nThen, install the cask:\n\n```bash\nbrew install --cask pin-github-actions\n```\n\nIf the cask is unavailable on your Linux setup, use one of the alternatives below instead.\n\n### From Source\n\n```bash\ngo build -o pin-github-actions\n```\n\nOr install directly:\n\n```bash\ngo install github.com/staticaland/pin-github-actions@latest\n```\n\n### Prebuilt binaries\n\nDownload a tarball for your OS/arch from the project releases and place the `pin-github-actions` binary on your `PATH`.\n\n## Usage\n\n```bash\npin-github-actions [--expand-major] [--policy \u003cpolicy\u003e] [--yes|--write] [--dry-run] \u003cworkflow-file\u003e\n\n# Example\npin-github-actions --policy same-major --yes .github/workflows/release.yml\n```\n\nWhat it does:\n\n- detect all `uses: owner/repo@ref` entries\n- resolve a version based on your policy (see Options below). By default, it uses the latest GitHub release if available; otherwise it falls back to the highest semantic version tag; if no semver tags exist, it falls back to the newest tag returned by the API\n- replace `@ref` with the exact commit SHA and keep the chosen version as a trailing comment\n\nFlow:\n\n- prints discovered actions\n- resolves versions and SHAs in parallel\n- shows a \"Planned updates\" preview (from → to) with line/column hints\n- prompts for confirmation before writing: `Apply changes? [y/N]` (skipped when `--yes`/`--write` is provided)\n  - answering no leaves the file unchanged\n  - answering yes writes the updated workflow file in place\n\nExample replacement: `uses: actions/checkout@11bd... # v4.2.2`.\n\n### Options\n\n- `--expand-major`: When the input ref is a moving major tag like `v4` or `4`, the tool will resolve the commit and then attempt to discover the exact full semver tag (e.g., `v4.2.2`) that points to that commit. The comment will use this full version instead of the major tag. This only affects the version shown in the comment; the pinned ref is still the immutable commit SHA.\n- `--policy`: Controls how versions are selected relative to what's in your workflow. Defaults to `major`.\n  - `major` (default): bump to the latest available version across all majors (Renovate-like \"latest\" behavior)\n  - `same-major`: stay within the requested major and pick the latest tag for that major\n  - `requested`: pin exactly the requested ref (e.g., resolve `v4` to the commit it currently points to)\n- `--yes`, `--write`: Apply updates non-interactively by skipping the confirmation prompt.\n- `--dry-run`: Perform a non-destructive preview. Prints the planned updates and exits without prompting or writing to disk.\n  - Exit code 0 when no changes are needed, 2 when changes would be made (useful in CI)\n  - Mutually exclusive with `--yes`/`--write`\n\n## Authentication\n\nRequires a GitHub token with public repo read access. The token is discovered in this order:\n\n- `GH_TOKEN`\n- `GITHUB_TOKEN`\n- token from `gh` (via `gh auth login`) discovered via:\n  - OS keychain entry `gh:github.com`\n  - `~/.config/gh/hosts.yml` (`github.com.oauth_token`)\n\nIf no token is found, the program exits with an error.\n\n## Similar tools \u0026 related resources\n\n- [Renovate](https://github.com/renovatebot/renovate)\n- [Dependabot](https://github.com/dependabot/dependabot-core)\n- [stacklok/frizbee](https://github.com/stacklok/frizbee)\n- [Pin your GitHub Actions (Michael Heap)](https://michaelheap.com/pin-your-github-actions/)\n- [GitHub Actions: Security Risk (Julien Renaux)](https://julienrenaux.fr/2019/12/20/github-actions-security-risk/)\n- [mheap/pin-github-action](https://github.com/mheap/pin-github-action)\n- [martinbonnin/pin-github-actions](https://github.com/martinbonnin/pin-github-actions)\n- [Wiz: GitHub Actions Security Guide](https://www.wiz.io/blog/github-actions-security-guide)\n- [sethvargo/ratchet](https://github.com/sethvargo/ratchet)\n- [GitHub Docs: Secure use of actions in workflows](https://docs.github.com/en/actions/reference/security/secure-use)\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstaticaland%2Fpin-github-actions","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstaticaland%2Fpin-github-actions","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstaticaland%2Fpin-github-actions/lists"}