https://github.com/suzuki-shunsuke/pinact-action
GitHub Actions to pin GitHub Actions by pinact
https://github.com/suzuki-shunsuke/pinact-action
Last synced: about 1 month ago
JSON representation
GitHub Actions to pin GitHub Actions by pinact
- Host: GitHub
- URL: https://github.com/suzuki-shunsuke/pinact-action
- Owner: suzuki-shunsuke
- License: mit
- Created: 2023-07-08T05:26:14.000Z (almost 2 years ago)
- Default Branch: main
- Last Pushed: 2025-04-01T00:42:40.000Z (about 1 month ago)
- Last Synced: 2025-04-01T01:32:22.188Z (about 1 month ago)
- Size: 756 KB
- Stars: 23
- Watchers: 3
- Forks: 1
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- License: LICENSE
Awesome Lists containing this project
README
# pinact-action
[](https://raw.githubusercontent.com/suzuki-shunsuke/pinact-action/main/LICENSE) | [action.yaml](action.yaml)
pinact-action is a GitHub Actions to pin GitHub Actions and reusable workflows by [pinact](https://github.com/suzuki-shunsuke/pinact).
This action fixes files `\.github/workflows/[^/]+\.ya?ml$` and `^(.*/)?action\.ya?ml?` and pushes a commit to a remote branch.
If you don't want to push a commit, this action can also only validate files.
In this case, if actions aren't pinned CI fails.
## GitHub Access Token
You can use the following things:
- :thumbsup: GitHub App Installation access token: We recommend this
- :thumbsdown: GitHub Personal Access Token: This can't create verified commits
- :thumbsdown: `${{secrets.GITHUB_TOKEN}}`: This can't trigger new workflow runs.
https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow
> When you use the repository's GITHUB_TOKEN to perform tasks, events triggered by the GITHUB_TOKEN, with the exception of workflow_dispatch and repository_dispatch, will not create a new workflow run.
### Required permissions
`contents:write` is required.
Furthermore, if you want to fix workflow files, `workflows:write` is also required.
If private actions are used, the permission `contents:read` to access those repositories are also required.
## How To Use
All inputs are optional.
```yaml
name: Pinact
on:
pull_request: {}
jobs:
pinact:
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Pin actions
uses: suzuki-shunsuke/pinact-action@d735505f3decf76fca3fdbb4c952e5b3eba0ffdd # v0.1.2
```
By default, this action uses `${{github.token}}` to create a commit.
But we recommend GitHub App because `${{github.token}}` doesn't trigger a new workflow run.
You can create a GitHub App installation access token and pass it to pinact-action yourself, but you can also pass a pair of GitHub App ID and private key.
Then pinact-action creates a GitHub App installation access token with minimum `repositories` and `permissions`.
```yaml
- uses: suzuki-shunsuke/pinact-action@d735505f3decf76fca3fdbb4c952e5b3eba0ffdd # v0.1.2
with:
app_id: ${{secrets.APP_ID}}
app_private_key: ${{secrets.APP_PRIVATE_KEY}}
```
### skip_push
If you don't want to push a commit, this action can also only validate files.
In this case, if actions aren't pinned CI fails.
```yaml
- uses: suzuki-shunsuke/pinact-action@d735505f3decf76fca3fdbb4c952e5b3eba0ffdd # v0.1.2
with:
skip_push: "true"
```