Analyses and pins GitHub actions in your workflows.
This tool pins your GitHub Action versions to use the SHA-1 hash instead of tag to improve security as Git tags are not immutable.
Converts uses: aws-actions/[email protected] to
uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0
To skip a specific action from being pinned, you can add a comment pinning: ignore.
Example using the generic SLSA generator action which MUST be referenced by a tag rather than a commit hash:
provenance:
needs: ['prepare', 'build-dist']
permissions:
actions: read
contents: write
id-token: write # Needed to access the workflow's OIDC identity.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # pinning: ignore
with:
base64-subjects: "${{ needs.build-dist.outputs.hashes }}"
upload-assets: trueThis repo provides a pre-commit hook to run octopin pin. Add the following
snippet to your .pre-commit-config.yaml to use.
- repo: https://github.com/eclipse-csi/octopin
rev: main # Recommended to pin to a tagged released
hooks:
- id: pin-versions