Update GitHub Actions configurations to use hashpins, instead of mutable pins, in a Dependabot-compatible way
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
gha-hashpinner
Finds mutable pins in GitHub Actions config and replaces them with immutable commit SHAs.
This is a security best practice that protects against supply chain attacks.
The immutable hashpins generated by this tool include version comments which are Dependabot-compatible.
⚠️ SHA pinning isn't a perfect solution and GitHub should be ashamed. If someone opens a PR to update a SHA pin, close it and let Dependabot do it instead (or manually verify the SHA is a member of the correct repo).
Example
❌ Mutable pins are a bad practice (you might get pwned!):
jobs:
my-job:
steps:
- name: "Checkout"
uses: "actions/checkout@v4"
✅ This tool will convert them to immutable pins:
jobs:
my-job:
steps:
- name: "Checkout"
uses: "actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5" # v4
Install
uv tool install gha-hashpinner
Usage
From a GitHub repository containing GitHub Actions workflows in .github/workflows:
gha-hashpinner .
Or, update a specific workflow file:
gha-hashpinner .github/workflows/my-workflow.yml
GitHub API rate limiting
The GitHub API rate-limits unauthenticated requests to 60/hour.
You may want to provide a token with the --token= argument to avoid rate limits.
This tool only needs read access.
It's very important to minimize access granted to any tool to only what's required. Only use fine-grained personal access tokens (PATs) with no extra permissions. Never click the "Add permissions" button.
In other words, keep everything default. The only thing selected in the fine-grained PAT UI should be "Public repositories (Read-only access to public repositories)". If you need to run this tool against private repositories, select "All repositories" or "Only select repositories".
With GitHub Actions
TODO
With pre-commit / prek
TODO
Alternatives
- https://github.com/azat-io/actions-up: NPM package
- https://github.com/Skipants/update-action-pins: Go package
Why?
I deeply distrust the NPM ecosystem. The Go package above is not user-friendly to install.
I wanted something I could install with uv tool install.
LLMs plus a dash of review and engineering judgement make it fast and easy to build tools like this.
Limitations
- This tool detects mutable refs with regex, i.e. a 40-character hexadecimal string is considered to be an immutable ref. There's no way to be sure without making API calls. See the relevant issue (#13) for details.
- When not given an explicit file path, only checks workflow files in
.github/workflows.
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file gha_hashpinner-0.0.2.tar.gz.
File metadata
- Download URL: gha_hashpinner-0.0.2.tar.gz
- Upload date:
- Size: 63.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1058ab33e08ee384c9fd582a9a402b4cea7be95b8483897661965c3e8c05961d
|
|
| MD5 |
04cfb9f58043b5b2075ce2f5c0804ab8
|
|
| BLAKE2b-256 |
e6fb9cf01c4450a22c202222dbd215052dbc07be7c14d6c815e6a8c2a05bac02
|
Provenance
The following attestation bundles were made for gha_hashpinner-0.0.2.tar.gz:
Publisher:
publish.yml on mfisher87/gha-hashpinner
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
gha_hashpinner-0.0.2.tar.gz -
Subject digest:
1058ab33e08ee384c9fd582a9a402b4cea7be95b8483897661965c3e8c05961d - Sigstore transparency entry: 1200856656
- Sigstore integration time:
-
Permalink:
mfisher87/gha-hashpinner@e2d27cc5774b104627d21516a7c912443a0b6162 -
Branch / Tag:
refs/tags/0.0.2 - Owner: https://github.com/mfisher87
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@e2d27cc5774b104627d21516a7c912443a0b6162 -
Trigger Event:
release
-
Statement type:
File details
Details for the file gha_hashpinner-0.0.2-py3-none-any.whl.
File metadata
- Download URL: gha_hashpinner-0.0.2-py3-none-any.whl
- Upload date:
- Size: 15.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
72a07105e63239a8891f96dc568776a52201543f6c2b06b45f6dbfabd57417ec
|
|
| MD5 |
bb9aed5c66b3f944d42281c8384b0d27
|
|
| BLAKE2b-256 |
c92a2b2af2fb368534b26644e2b827318fc7131ed2c467171e61c554a75f4a9d
|
Provenance
The following attestation bundles were made for gha_hashpinner-0.0.2-py3-none-any.whl:
Publisher:
publish.yml on mfisher87/gha-hashpinner
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
gha_hashpinner-0.0.2-py3-none-any.whl -
Subject digest:
72a07105e63239a8891f96dc568776a52201543f6c2b06b45f6dbfabd57417ec - Sigstore transparency entry: 1200856719
- Sigstore integration time:
-
Permalink:
mfisher87/gha-hashpinner@e2d27cc5774b104627d21516a7c912443a0b6162 -
Branch / Tag:
refs/tags/0.0.2 - Owner: https://github.com/mfisher87
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@e2d27cc5774b104627d21516a7c912443a0b6162 -
Trigger Event:
release
-
Statement type:
