đź“Ś replaces mutable tags or branch names by commit shas in your GitHub actions

Related tags

Kotlin pin-github-actions
Overview

đź“Ś pin-github-actions

Using a branch name or tag name as a version for a GitHub action is dangerous as neither branches nor tags are immutable. (See GitHub's documentation for more details)

pin-github-actions is a small command-line tool that replaces ("pins") branches or tag names with their corresponding commit sha.

You can see it in action in this commit:

--- a/.github/workflows/pr.yaml
+++ b/.github/workflows/pr.yaml
@@ -7,9 +7,9 @@ jobs:
     runs-on: macos-12
 
     steps:
-      - uses: actions/checkout@v3
-      - uses: gradle/[email protected]
-      - uses: gradle/wrapper-validation-action@v1
+      - uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28 #v3
+      - uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1 #v2.2.1
+      - uses: gradle/wrapper-validation-action@e6e38bacfdf1a337459f332974bb2327a31aaf4b #v1
       - run: ./gradlew build
         env:

Installation

brew install martinbonnin/repo/pin-github-actions

Usage

Usage: pin-github-actions [OPTIONS] [PATHS]...

Options:
  --version
  --login
  --logout
  --update    update to the latest known tag instead of just using the current
  -h, --help  Show this message and exit

Arguments:
  PATHS  The yaml files to process. You can also pass a directory
         in which case it will process all yaml files in that directory.

Frequently Asked Questions

Q: Why pinning the first party actions like actions/checkout@v3? GitHub runs the actions, so it should be trusted by construction?

A: It's true that GitHub has to be trusted to run the actions. Nevertheless, no one is immune to exploits and in the advent that GitHub gets hacked, pinning the GitHub actions reduces a tiny little bit the attack surface. What's more, it makes the yaml files more consistent.

Q: Can I have a GitHub action that automatically updates the pins?

A: Dependabot and Renovate do this. (albeit with a caveat in the dependabot case)

You might also like...
io.github.jakob.AgonesClient - Kotlin client library for sdk.proto

io.github.jakob.AgonesClient - Kotlin client library for sdk.proto Requires Kotlin 1.3.41 Gradle 4.9 Build First, create the gradle wrapper script: gr

KunJakob 3 Jun 24, 2022
Minecraft Server Software specially designed for Thicc SMP. Here on GitHub without the private patches, just a normal hybrid JettPack-Pufferfish-Empirecraft fork

AlynaaMC A private, custom server software for Thicc SMP and a fork of Pufferfish. Here on GitHub with patches from JettPack, Airplane and Pufferfish

ThiccMC 14 Dec 31, 2021
AndroidappTemplate - A GitHub template repository intended to kickstart development on an Android application

Android App Template This is a GitHub template repository intended to kickstart

null 0 Jan 7, 2022
An open source GitHub Android client app, faster and concise.
An open source GitHub Android client app, faster and concise.

An open-source GitHub Android client app, faster and concise.

30度的射线 4.1k Dec 26, 2022
A sample application that build with combine use Clean Architecture framework and Github API
A sample application that build with combine use Clean Architecture framework and Github API

The Github Example Introduction This is a sample application that build with combine use Clean Architecture framework and Github API (https://develope

Nguyá»…n HĂąng An 2 Aug 12, 2022
Firebase with MVVM is a series of videos in which you will learn how to implement firebase with MVVM along with UI designs, GitHub branches, merging, and resolving conflicts.
Firebase with MVVM is a series of videos in which you will learn how to implement firebase with MVVM along with UI designs, GitHub branches, merging, and resolving conflicts.

In this project we will learn about Firebase Implementation with MVVM Architecture. It is a basic level Course and will go with project based approach so can understand better that how the things are working.

Shahzad Afridi 29 Jan 1, 2023
🍭 GithubSearchKMM - Github Repos Search - Android - iOS - Kotlin Multiplatform Mobile using Jetpack Compose, SwiftUI, FlowRedux, Coroutines Flow, Dagger Hilt, Koin Dependency Injection, shared KMP ViewModel, Clean Architecture
🍭 GithubSearchKMM - Github Repos Search - Android - iOS - Kotlin Multiplatform Mobile using Jetpack Compose, SwiftUI, FlowRedux, Coroutines Flow, Dagger Hilt, Koin Dependency Injection, shared KMP ViewModel, Clean Architecture

GithubSearchKMM Github Repos Search - Kotlin Multiplatform Mobile using Jetpack Compose, SwiftUI, FlowRedux, Coroutines Flow, Dagger Hilt, Koin Depend

Petrus Nguyễn Thái Học 50 Jan 7, 2023
This program will read from your android application string.xml file and generate translated strings.xml files in your preferred languages using google sheet.
This program will read from your android application string.xml file and generate translated strings.xml files in your preferred languages using google sheet.

Localize your application content This program will read from your application string.xml file and generate translated strings.xml files in your prefe

DhiWise 4 Jul 29, 2022
đź’« A Gradle Plugin to generate your networking code from Swagger

Swagger Gradle Codegen A Gradle plugin to generate networking code from a Swagger spec file. This plugin wraps swagger-codegen, and exposes a configur

Yelp.com 399 Nov 28, 2022
Releases(v0.3.1)
Owner
Martin Bonnin
Make val, not var
Martin Bonnin
GitHub
Android + Kotlin + Github Actions + ktlint + Detekt + Gradle Kotlin DSL + buildSrc = ❤️

kotlin-android-template ?? A simple Github template that lets you create an Android/Kotlin project and be up and running in a few seconds. This templa

Nicola Corti 1.5k Jan 3, 2023
A Template for a Github Actions Pipeline for building and publishing Gradle-JVM Applications

github-actions-cd-template-jvm A Template for a Github Actions Pipeline for building and publishing Gradle-JVM Applications It build a executable shad

Raphael Panic 0 Dec 5, 2021
Godot's AdMob Plugin for Android (3.2.2+) using GitHub Actions for CI/CD. Working on Standard and Mono Godot versions.

Godot AdMob Android A Godot's plugin for Android of AdMob. About • Installation • Docs • Downloads About This repository is for a Godot Engine Plugin

Poing Studios 148 Jan 8, 2023
GitHub Actions Kotlin DSL

GitHub Actions Kotlin DSL Work in progress! The goal is to be able to describe GH Actions in Kotlin with all its perks, like: workflow( name = "Te

Piotr Krzemiński 271 Dec 26, 2022
Flutter NFC Project - A new flutter plugin to help developers looking to use internal hardware inside iOS or Android devices for reading and writing NFC tags

Flutter NFC Reader & Writer A new flutter plugin to help developers looking to u

Muhammad Bilal 1 Jan 6, 2022
Actions are things that run, with parameters. Serves as a common dependency for a variety of Cepi extensions.

Actions Actions that take in customizable paramaters, an optional target, and do things. Installation Download the jar from Releases OR compile it you

Cepi 1 Jan 9, 2022
Unofficial Actions on Google SDK for Kotlin and Java

Actions On Google Client Library This is a port of the official Node.js SDK to Kotlin. This can also be used from Java and any JVM language. Quick Fac

Ticketmaster® & Live Nation Entertainment® 118 Oct 3, 2022
🔨 Template for easy hosting of your Java/Kotlin libraries on GitHub

?? kotlin-jvm-library-template Another template for easy hosting your Java/Kotlin libraries on GitHub. Features boilerplate for Kotlin/Java projects w

Viktor 0 Jan 7, 2022
Events Calendar is a user-friendly library that helps you achieve a cool Calendar UI with events mapping. You can customise every pixel of the calendar as per your wish and still achieve in implementing all the functionalities of the native android calendar in addition with adding dots to the calendar which represents the presence of an event on the respective dates. It can be done easily, you are just a few steps away from implementing your own badass looking Calendar for your very own project!

Events Calendar Single Selection Mode Range Selection Mode Multiple Selection Mode What is Events Calendar? Events Calendar is a user-friendly library

Deepan 201 Dec 9, 2022
A composite Github Action to execute the Kotlin Script with compiler plugin and dependency caching!

Kotlin Script Github Action Kotlin can also be used as a scripting language, which is more safer, concise, and fun to write than bash or python. Githu

Suresh 9 Nov 28, 2022