GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → mheap → pin-github-action

mheap / pin-github-action

Licence: MIT license
Pin your GitHub actions to a specific hash

Programming Languages

javascript
184084 projects - #8 most used programming language

Labels

githubclisecurityactionsgithub-actions

Projects that are alternatives of or similar to pin-github-action

Real Time Social Media Mining
DevOps pipeline for Real Time Social/Web Mining
Stars: ✭ 22 (-42.11%)
Mutual labels:  actions, github-actions
k8s-create-secret
GitHub Action to create Kubernetes cluster secrets
Stars: ✭ 24 (-36.84%)
Mutual labels:  actions, github-actions
mc-publish
GitHub Action that helps you publish your Minecraft mods
Stars: ✭ 76 (+100%)
Mutual labels:  actions, github-actions
dart-package-publisher
Action to Publish Dart / Flutter Package To https://pub.dev When you need to publish a package, just bump the version in pubspec.yaml
Stars: ✭ 45 (+18.42%)
Mutual labels:  actions, github-actions
html5validator-action
GitHub Action that checks HTML5 syntax.
Stars: ✭ 27 (-28.95%)
Mutual labels:  actions, github-actions
action-netlify-deploy
🙌 Netlify deployments via GitHub actions
Stars: ✭ 32 (-15.79%)
Mutual labels:  actions, github-actions
clojure-dependency-update-action
A simple GitHub Actions job to create Pull Requests for outdated dependencies in clojure projects
Stars: ✭ 37 (-2.63%)
Mutual labels:  actions, github-actions
gh-action-get-changed-files
GitHub Action that saves changed files as JSON for use by other actions.
Stars: ✭ 82 (+115.79%)
Mutual labels:  actions, github-actions
danger-action
Execute danger action for GitHub Actions.
Stars: ✭ 24 (-36.84%)
Mutual labels:  actions, github-actions
verify-changed-files
Github action to verify file changes that occur during the workflow execution.
Stars: ✭ 62 (+63.16%)
Mutual labels:  actions, github-actions
deploy-cloudrun
This action deploys your container image to Cloud Run.
Stars: ✭ 238 (+526.32%)
Mutual labels:  actions, github-actions
actions
🧰 Collection of github actions for automation
Stars: ✭ 28 (-26.32%)
Mutual labels:  actions, github-actions
scan-action
Anchore container analysis and scan provided as a GitHub Action
Stars: ✭ 140 (+268.42%)
Mutual labels:  actions, github-actions
setup-jdk
(DEPRECATED) Set up your GitHub Actions workflow with a specific version of AdoptOpenJDK
Stars: ✭ 32 (-15.79%)
Mutual labels:  actions, github-actions
csharp-docs-generator
An action that generates html documentation for C# programs to use for GitHub pages.
Stars: ✭ 21 (-44.74%)
Mutual labels:  actions, github-actions
branch-names
Github action to retrieve branch or tag names with support for all events.
Stars: ✭ 99 (+160.53%)
Mutual labels:  actions, github-actions
public-ip
Queries GitHub actions runner's public IP address
Stars: ✭ 64 (+68.42%)
Mutual labels:  actions, github-actions
changed-files
Github action to retrieve all (added, copied, modified, deleted, renamed, type changed, unmerged, unknown) files and directories.
Stars: ✭ 733 (+1828.95%)
Mutual labels:  actions, github-actions
add-an-issue-reference-action
A GitHub Action for adding a related issue reference to a pull request.
Stars: ✭ 19 (-50%)
Mutual labels:  actions, github-actions
labeler
GitHub Action to assign labels to PRs based on configurable conditions
Stars: ✭ 47 (+23.68%)
Mutual labels:  actions, github-actions
View All Similar Projects ➔

pin-github-action

This is a tool that allows you to pin your GitHub actions dependencies to a specific sha without requiring that you update every action manually each time you want to use a newer version of an action.

It achieves this by converting your workflow to use a specific commit hash, whilst adding the original value as a comment on that line. This allows us to resolve newer shas for that target ref automatically in the future.

It converts this:

name: Commit Push
on:
  push:
    branches:
      - master
jobs:
  build:
    name: nexmo/github-actions/submodule-auto-pr@main
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@main
      - name: nexmo/github-actions/submodule-auto-pr
        uses: nexmo/github-actions/submodule-auto-pr@main

In to this:

name: Commit Push
on:
  push:
    branches:
      - master
jobs:
  build:
    name: nexmo/github-actions/submodule-auto-pr@main
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@db41740e12847bb616a339b75eb9414e711417df # pin@main
      - name: nexmo/github-actions/submodule-auto-pr
        uses: nexmo/github-actions/submodule-auto-pr@73549280c1c566830040d9a01fe9050dae6a3036 # pin@main

For more information, see How it works.

Installation

npm install -g pin-github-action

Usage

pin-github-action /path/to/.github/workflows/your-name.yml

If you use private actions (or are hitting rate limits), you'll need to provide a GitHub access token:

GH_ADMIN_TOKEN=<your-token-here> pin-github-action /path/to/.github/workflows/your-name.yml

Run it as many times as you like! Each time you run the tool the exact sha will be updated to the latest available sha for your pinned ref.

If you're having issues, run with debug logging enabled and open an issue:

DEBUG="pin-github-action*" pin-github-action /path/to/.github/workflows/your-name.yml

You can process multiple files at once by adding additional files as arguments:

pin-github-action first.yml second.yml

Leaving Actions unpinned

To leave an action unpinned, pass the --allow option when running pin-github-action.

Running pin-github-action /path/to/.github/workflows/your-name.yml --allow "actions/*" will turn this:

jobs:
  build:
    name: nexmo/github-actions/submodule-auto-pr@main
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@main
      - uses: nexmo/github-actions/submodule-auto-pr@main

Into this (notice how actions/checkout@main is ignored):

jobs:
  build:
    name: nexmo/github-actions/submodule-auto-pr@main
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@main
      - name: nexmo/github-actions/submodule-auto-pr
        uses: nexmo/github-actions/submodule-auto-pr@73549280c1c566830040d9a01fe9050dae6a3036 # pin@main

You can pass multiple actions to allow as a comma separated list e.g. actions/checkout,mheap/*

A quick overview of the available globbing patterns (taken from multimatch, which we use to match globs):

  • * matches any number of characters, but not /
  • ? matches a single character, but not /
  • ** matches any number of characters, including /, as long as it's the only thing in a path part
  • {} allows for a comma-separated list of "or" expressions
  • ! at the beginning of a pattern will negate the match

Examples:

  • Exact match: actions/checkout
  • Partial match: actions/*
  • Negated match: !actions/* (will only pin actions/* actions)

How it works

  • Load the workflow file provided
  • Tokenise it in to an AST
  • Extract all uses steps, skipping any docker:// or ./local-path actions
  • Loop through all uses steps to determine the target ref
    • If there's a comment in the step, remove pin@ and use that as the target
    • Otherwise, fall back to the ref in the action as the default
  • Look up the current sha for each repo on GitHub and update the action to use the specific hash
    • If needed, add a comment with the target pinned version
  • Write the workflow file with the new pinned version and original target version as a comment
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].