https://github.com/mashiike/actionspin
Bulk replace GitHub Actions references from version tags to commit hashes for locked, reproducible workflows.
https://github.com/mashiike/actionspin
Last synced: about 1 month ago
JSON representation
Bulk replace GitHub Actions references from version tags to commit hashes for locked, reproducible workflows.
- Host: GitHub
- URL: https://github.com/mashiike/actionspin
- Owner: mashiike
- License: mit
- Created: 2025-03-18T05:51:32.000Z (2 months ago)
- Default Branch: main
- Last Pushed: 2025-04-07T21:56:48.000Z (about 2 months ago)
- Last Synced: 2025-04-15T01:53:40.118Z (about 1 month ago)
- Language: Go
- Size: 44.9 KB
- Stars: 5
- Watchers: 1
- Forks: 0
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
Awesome Lists containing this project
README
# actionspin
Bulk replace GitHub Actions references from version tags to commit hashes for locked, reproducible workflows.
## Overview
`actionspin` is a tool that replaces version tags with commit hashes in GitHub Actions workflow files. This ensures reproducible workflows.
## Installation
You can install it using the following command:
```sh
$go install github.com/mashiike/actionspin/cmd/actionspin@latest
```
Alternatively, you can download the binary from [GitHub Releases](https://github.com/mashiike/actionspin/releases).
or, Homebrew:
```sh
$ brew install mashiike/tap/actionspin
```
## Usage
Use `actionspin` to process GitHub Actions workflow files in the specified directory.
```sh
Usage: actionspin --target=".github" [flags]
Bulk replace GitHub Actions references from version tags to commit hashes for locked, reproducible workflows.
Flags:
-h, --help Show context-sensitive help.
--log-format="json" Log format ($LOG_FORMAT)
--[no-]color Enable color output
--log-level="info" Log level ($LOG_LEVEL)
--version Show version and exit
--target=".github" Replace Target dir or file
--output="" Output dir
--github-token=STRING GitHub token ($GITHUB_TOKEN)
```
For example, consider the following Actions workflow:
```yaml
name: Test
on:
push:
branches:
- master
- main
pull_request:
types:
- opened
- synchronize
- reopened
jobs:
test:
strategy:
matrix:
go:
- "1.24"
name: Build
runs-on: ubuntu-latest
steps:
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ matrix.go }}
id: go
- name: Check out code into the Go module directory
uses: actions/checkout@v4
- name: Build & Test
run: |
go test -race ./... -timeout 30s
```
Run the following command in the root directory of the repository, and `actionspin` will replace `actions/setup-go@v5` and `actions/checkout@v4` with their respective commit hashes.
```sh
$ actionspin
{"time":"2025-03-18T14:42:20.911018+09:00","level":"INFO","msg":"replace uses","path":"workflows/test.yaml","owner":"actions","repo":"setup-go","ref":"v5","commitHash":"f111f3307d8850f501ac008e886eec1fd1932a34"}
{"time":"2025-03-18T14:42:21.415795+09:00","level":"INFO","msg":"replace uses","path":"workflows/test.yaml","owner":"actions","repo":"checkout","ref":"v4","commitHash":"11bd71901bbe5b1630ceea73d27597364c9af683"}
Replaced uses:
- actions/setup-go@v5 -> f111f3307d8850f501ac008e886eec1fd1932a34
- actions/checkout@v4 -> 11bd71901bbe5b1630ceea73d27597364c9af683
Replaced files:
- .github/workflows/test.yaml
```
The result will be as follows:
```yaml
name: Test
on:
push:
branches:
- master
- main
pull_request:
types:
- opened
- synchronize
- reopened
jobs:
test:
strategy:
matrix:
go:
- "1.24"
name: Build
runs-on: ubuntu-latest
steps:
- name: Set up Go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5
with:
go-version: ${{ matrix.go }}
id: go
- name: Check out code into the Go module directory
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Build & Test
run: |
go test -race ./... -timeout 30s
```
## Contributing
Please use GitHub's issue tracker for bug reports and feature requests. Pull requests are also welcome.
1. Fork the repository.
2. Create a feature branch.
3. Commit your changes.
4. Create a pull request.
## License
This project is licensed under the MIT License. See the [LICENSE](./LICENSE) file for details.