https://github.com/eclipse-csi/octopin
Analyses and pins GitHub actions in your workflows.
https://github.com/eclipse-csi/octopin
github-actions python security supply-chain
Last synced: 8 months ago
JSON representation
Analyses and pins GitHub actions in your workflows.
- Host: GitHub
- URL: https://github.com/eclipse-csi/octopin
- Owner: eclipse-csi
- License: epl-2.0
- Created: 2024-04-24T20:59:54.000Z (about 2 years ago)
- Default Branch: main
- Last Pushed: 2025-09-15T19:15:28.000Z (9 months ago)
- Last Synced: 2025-09-24T22:52:15.117Z (9 months ago)
- Topics: github-actions, python, security, supply-chain
- Language: Python
- Size: 110 KB
- Stars: 1
- Watchers: 6
- Forks: 3
- Open Issues: 7
-
Metadata Files:
- Readme: README.md
- Contributing: docs/contributing.md
- License: LICENSE
- Security: SECURITY.md
Awesome Lists containing this project
README
# Eclipse Octopin
Analyses and pins GitHub actions in your workflows.
This tool pins your GitHub Action versions to use the SHA-1 hash
instead of tag to improve security as Git tags are not immutable.
Converts `uses: aws-actions/configure-aws-credentials@v1.7.0` to
`uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0`
## Skipping actions
To skip a specific action from being pinned, you can add a comment `pinning: ignore`.
Example using the generic SLSA generator action which *MUST* be [referenced](https://github.com/slsa-framework/slsa-github-generator?tab=readme-ov-file#referencing-slsa-builders-and-generators) by a tag rather than a commit hash:
```yaml
provenance:
needs: ['prepare', 'build-dist']
permissions:
actions: read
contents: write
id-token: write # Needed to access the workflow's OIDC identity.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 # pinning: ignore
with:
base64-subjects: "${{ needs.build-dist.outputs.hashes }}"
upload-assets: true
```
## pre-commit hook
This repo provides a pre-commit hook to run `octopin pin`. Add the following
snippet to your `.pre-commit-config.yaml` to use.
```yaml
- repo: https://github.com/eclipse-csi/octopin
rev: main # Recommended to pin to a tagged released
hooks:
- id: pin-versions
```