feat: Add support for pinning Docker images in GitHub Actions files#27
Merged
feat: Add support for pinning Docker images in GitHub Actions files#27
Conversation
Add support for pinning Docker image references in GitHub Actions workflow files (.github/workflows/*.yml) and action metadata files (action.yml/action.yaml). Supported locations: - jobs.<job_id>.container.image (including string shorthand) - jobs.<job_id>.services.<service_id>.image - jobs.<job_id>.steps[*].uses (docker:// prefixed only) - runs.image (docker:// prefixed only, in action files) The default glob pattern now auto-discovers these files alongside Dockerfiles and compose files. Closes #24 https: //claude.ai/code/session_0189LYEmTuZSS2ZCUoDurv8M Co-authored-by: azu <azu@users.noreply.github.com>
Add supported patterns tables for workflow files and action files, update description and default glob pattern documentation. https: //claude.ai/code/session_0189LYEmTuZSS2ZCUoDurv8M Co-authored-by: azu <azu@users.noreply.github.com>
Replace strings.Contains checks with full output comparison for more reliable regression detection. Also fix goimports lint. https: //claude.ai/code/session_0189LYEmTuZSS2ZCUoDurv8M Co-authored-by: azu <azu@users.noreply.github.com>
…for local Dockerfile - parseContainer now detects docker:// prefix and strips it from ImageRef - parseAction returns a skip ref (Skip: true, SkipReason: "local Dockerfile") for non-docker:// runs.image values, matching compose package behavior https: //claude.ai/code/session_0189LYEmTuZSS2ZCUoDurv8M Co-authored-by: azu <azu@users.noreply.github.com>
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Same fix as container fields — detect docker:// prefix in services.*.image and pass it to makeRef so the prefix is stripped from ImageRef before registry resolution. https: //claude.ai/code/session_0189LYEmTuZSS2ZCUoDurv8M Co-authored-by: azu <azu@users.noreply.github.com>
Move docker:// prefix detection into makeRef itself instead of requiring each caller to check. This eliminates the class of bugs where a new call site forgets to detect the prefix (as happened with services.*.image). https: //claude.ai/code/session_0189LYEmTuZSS2ZCUoDurv8M Co-authored-by: azu <azu@users.noreply.github.com>
Actions check output now shows "image: node:24" and "uses: docker://..." instead of bare values, matching the compose convention of "image: <ref>". https: //claude.ai/code/session_0189LYEmTuZSS2ZCUoDurv8M Co-authored-by: azu <azu@users.noreply.github.com>
Verifies the full parse → resolve → rewrite flow when container and service images use the docker:// prefix, ensuring the prefix is stripped before resolution but preserved in output. https: //claude.ai/code/session_0189LYEmTuZSS2ZCUoDurv8M Co-authored-by: azu <azu@users.noreply.github.com>
Merged
azu
pushed a commit
that referenced
this pull request
Apr 3, 2026
<!-- Release notes generated using configuration in .github/release.yml at main --> ## What's Changed ### Features * feat: Add support for pinning Docker images in GitHub Actions files by @azu in #27 ### Maintenance * fix: remove unused --platform flag by @azu in #25 **Full Changelog**: v1.0.5...v1.1.0 Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR extends dockerfile-pin to support GitHub Actions workflow files and action metadata files, enabling users to pin Docker image references in
.github/workflows/*.yml,action.yml, andaction.yamlfiles with digest hashes.Key Changes
New Actions Parser (
internal/actions/parse.go): Parses GitHub Actions YAML files to extract Docker image references from:containerimages (both object and string formats)servicesimagesuseswithdocker://prefixruns.imagewithdocker://prefixdocker://prefix conventionActions File Rewriter (
internal/actions/rewrite.go): Applies resolved digests back to Actions files while preserving formatting and handling both prefixed and non-prefixed image referencesFile Type Detection (
cmd/files.go): ExtendedDetectFileType()to recognize:.github/workflows/directories with.yml/.yamlextensionsaction.ymlandaction.yamlfiles anywhere in the repositoryPin Command Integration (
cmd/pin.go): AddedapplyActions()function to handle digest application for Actions files, respecting the--updateflag for already-pinned imagesCheck Command Integration (
cmd/check.go): AddedparseActionsForCheck()function to validate image pinning status in Actions files with proper reporting of missing/invalid digestsComprehensive Test Coverage:
internal/actions/parse_test.go)internal/actions/rewrite_test.go)e2e_test.gocovering workflows, actions, and round-trip file modificationscmd/files_test.goDocumentation (
README.md): Updated to reflect support for GitHub Actions filesImplementation Details
gopkg.in/yaml.v3to maintain line number information for accurate file rewritingdocker://prefix if present) and normalized form (without prefix/digest)--updateflagactions/checkout@v4) are correctly ignoredclose #24