A command-line tool to automatically update GitHub Actions workflow files, replacing version tags or unpinned actions with pinned commit SHA identifiers. This helps ensure your workflows are reproducible and secure by preventing unexpected changes in third-party actions.

1. Build the binary:

   go build -o update-action-pins main.go

2. (Optional) Move it to your PATH:

   sudo mv update-action-pins /usr/local/bin/

update-action-pins <file-or-dir>

• <file-or-dir>: Path to a workflow YAML file or a directory containing workflow files. Defaults to ".github/workflows"

Example:

update-action-pins

update-action-pins .github/workflows/test.yml

• Go 1.20+
• A valid GitHub token in the GITHUB_TOKEN environment variable (for API requests)

• The tool parses each workflow file and looks for uses: steps.
• For each action using a version tag or branch, it queries the GitHub API to resolve the corresponding commit SHA.
• The workflow file is updated in-place, replacing the version with the resolved SHA and adding a comment with the original version.

Before:

- uses: actions/checkout@v3
- uses: actions/setup-node@main

After running the tool:

- uses: actions/checkout@b4ffde3b8c7e7e3b6b7e3e1e3b6b7e3e1e3b6b7e # v3
- uses: actions/setup-node@c4c1b6b5e2e3b6b7e3e1e3b6b7e3e1e3b6b7e3e1 # main

Run the test suite with:

go test

Pull requests and issues are welcome!

MIT License