Update GitHub Actions configurations to use hashpins, instead of mutable pins, in a Dependabot-compatible way

These details have been verified by PyPI

Project links

GitHub Statistics

Maintainers

mfisher87

These details have not been verified by PyPI

Project description

`gha-hashpinner`

Finds mutable pins in GitHub Actions config and replaces them with immutable commit SHAs.

This is a security best practice that protects against supply chain attacks.

The immutable hashpins generated by this tool include version comments which are Dependabot-compatible.

E.g.:

❌ Mutable pins are a bad practice (you might get pwned!):

jobs:
  my-job:
    steps:
      - name: "Checkout"
        uses: "actions/checkout@v4"

✅ This tool will convert them to immutable pins:

jobs:
  my-job:
    steps:
      - name: "Checkout"
        uses: "actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5"  # v4

Install

uv tool install gha-hashpinner

Usage

From a GitHub repository containing GitHub Actions workflows in .github/workflows:

gha-hashpinner .

Or, update a specific workflow file:

gha-hashpinner .github/workflows/my-workflow.yml

Alternatives

https://github.com/azat-io/actions-up: NPM package
https://github.com/Skipants/update-action-pins: Go package

Why?

I deeply distrust the NPM ecosystem. The Go package above is not user-friendly to install.

I wanted something I could install with uv tool install.

LLMs plus a dash of review and engineering judgement make it fast and easy to build tools like this.

Project details

These details have been verified by PyPI

Project links

GitHub Statistics

Maintainers

mfisher87

These details have not been verified by PyPI

Release history Release notifications | RSS feed

0.0.3

Mar 30, 2026

0.0.2

Mar 30, 2026

This version

0.0.1

Mar 28, 2026

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

gha_hashpinner-0.0.1.tar.gz (61.5 kB view details)

Uploaded Mar 28, 2026 Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

The dropdown lists show the available interpreters, ABIs, and platforms. Enable javascript to be able to filter the list of wheel files.

gha_hashpinner-0.0.1-py3-none-any.whl (12.0 kB view details)

Uploaded Mar 28, 2026 Python 3

File details

Details for the file gha_hashpinner-0.0.1.tar.gz.

File metadata

Download URL: gha_hashpinner-0.0.1.tar.gz
Upload date: Mar 28, 2026
Size: 61.5 kB
Tags: Source
Uploaded using Trusted Publishing? Yes
Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for gha_hashpinner-0.0.1.tar.gz
Algorithm	Hash digest
SHA256	`9315d41af6faac09c5e457070d594e699bb86600b5745d29f04d9c8de6c16c28`
MD5	`b7e794c843324a1fa9fab3ae225d7b5a`
BLAKE2b-256	`6ef0a75cdd0a371460474a7506e8606724b761f36a7864b659e0a1deec3dbeb5`

See more details on using hashes here.

Provenance

The following attestation bundles were made for gha_hashpinner-0.0.1.tar.gz:

Publisher: publish.yml on mfisher87/gha-hashpinner

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Statement:
- Statement type: https://in-toto.io/Statement/v1
- Predicate type: https://docs.pypi.org/attestations/publish/v1
- Subject name: gha_hashpinner-0.0.1.tar.gz
- Subject digest: 9315d41af6faac09c5e457070d594e699bb86600b5745d29f04d9c8de6c16c28
- Sigstore transparency entry: 1190585272
- Sigstore integration time: Mar 28, 2026
Source repository:
- Permalink: mfisher87/gha-hashpinner@4e528d85e81da49e7af21d4d0a08bfed667c4df6
- Branch / Tag: refs/tags/0.0.1
- Owner: https://github.com/mfisher87
- Access: public
Publication detail:
- Token Issuer: https://token.actions.githubusercontent.com
- Runner Environment: github-hosted
- Publication workflow: publish.yml@4e528d85e81da49e7af21d4d0a08bfed667c4df6
- Trigger Event: release

File details

Details for the file gha_hashpinner-0.0.1-py3-none-any.whl.

File metadata

Download URL: gha_hashpinner-0.0.1-py3-none-any.whl
Upload date: Mar 28, 2026
Size: 12.0 kB
Tags: Python 3
Uploaded using Trusted Publishing? Yes
Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for gha_hashpinner-0.0.1-py3-none-any.whl
Algorithm	Hash digest
SHA256	`7fb0aaacd68f703067b16adbb6f0fabc6a9353e9dbfe24b6fe77875894c1808f`
MD5	`819e539788149fd87e17c5f29037c814`
BLAKE2b-256	`3e1aef3246772f72716a9fa39fd3a98ad64ea735a0e2bb3ed657fd9693fd427b`

See more details on using hashes here.

Provenance

The following attestation bundles were made for gha_hashpinner-0.0.1-py3-none-any.whl:

Publisher: publish.yml on mfisher87/gha-hashpinner

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Statement:
- Statement type: https://in-toto.io/Statement/v1
- Predicate type: https://docs.pypi.org/attestations/publish/v1
- Subject name: gha_hashpinner-0.0.1-py3-none-any.whl
- Subject digest: 7fb0aaacd68f703067b16adbb6f0fabc6a9353e9dbfe24b6fe77875894c1808f
- Sigstore transparency entry: 1190585328
- Sigstore integration time: Mar 28, 2026
Source repository:
- Permalink: mfisher87/gha-hashpinner@4e528d85e81da49e7af21d4d0a08bfed667c4df6
- Branch / Tag: refs/tags/0.0.1
- Owner: https://github.com/mfisher87
- Access: public
Publication detail:
- Token Issuer: https://token.actions.githubusercontent.com
- Runner Environment: github-hosted
- Publication workflow: publish.yml@4e528d85e81da49e7af21d4d0a08bfed667c4df6
- Trigger Event: release

gha-hashpinner 0.0.1

Navigation

Verified details

Project links

GitHub Statistics

Maintainers

Unverified details

Meta

Classifiers

Project description

`gha-hashpinner`

Install

Usage

Alternatives

Why?

Project details

Verified details

Project links

GitHub Statistics

Maintainers

Unverified details

Meta

Classifiers

Release history Release notifications | RSS feed

Download files

Source Distribution

Built Distribution

File details

File metadata

File hashes

Provenance

File details

File metadata

File hashes

Provenance