https://github.com/lfreleng-actions/pinned-versions-action

Ensures workflows are pinned to SHA commit values
https://github.com/lfreleng-actions/pinned-versions-action

actions audit auditing github-actions github-workflows security validation

Last synced: about 1 year ago
JSON representation

Ensures workflows are pinned to SHA commit values

• Host: GitHub
• URL: https://github.com/lfreleng-actions/pinned-versions-action
• Owner: lfreleng-actions
• License: other
• Created: 2025-04-30T11:36:39.000Z (about 1 year ago)
• Default Branch: main
• Last Pushed: 2025-05-05T23:30:30.000Z (about 1 year ago)
• Last Synced: 2025-05-06T00:32:34.991Z (about 1 year ago)
• Topics: actions, audit, auditing, github-actions, github-workflows, security, validation
• Homepage:
• Size: 10.7 KB
• Stars: 0
• Watchers: 1
• Forks: 1
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          


# 📌 Pinned Versions Action

Verifies action/workflow calls use SHA commit values.

## pinned-versions-action

## Recommended Event Triggers

```yaml

on:

    workflow_dispatch:

    pull_request:

        branches:

            - main

            - master

        paths: [".github/**"]

```

## Usage Example

```yaml

jobs:

  check-actions:

    runs-on: ubuntu-24.04

    permissions:

      contents: read

    steps:

      - name: 'Check Pinned Versions'

        uses: lfreleng-actions/pinned-versions-action@main

```

## Inputs

| Variable Name | Required | Default                         | Description                                      |

| ------------- | -------- | ------------------------------- | ------------------------------------------------ |

| path_prefix   | False    | '.' (current working directory) | Directory location containing project code       |

| no_checkout   | False    | false                           | Don't perform a checkout of the local repository |

## Behaviour

### Pull Requests

When triggered against a pull request, will audit the change content for any

calls to GitHub actions/workflows that are not pinned to a SHA commit value.

This scans files changed in the pull request, and will NOT block merges

where GitHub actions elsewhere in the repository do not use SHA/commit values.

### Manual Invocation

Operates differently when explicitly called using "workflow_dispatch" trigger.

Will scan the entire repository for action/workflow calls and report results

for all GitHub actions/workflows found.