feature request: look up a hash by version

[lucasgonze]

Pinning by hash createst UI friction. With a tool like yarn a developer can use the CLI to look up the hash and upgrade the yaml in a terse command - yarn upgrade [email protected]. With pin-github-action the developer has to find the repo, look up the tag of the version they want, copy the hash, and paste the hash into their yaml.

pin-github-action should either:

1. Be able to upgrade a single dependency using a command similar to yarn
2. Be able to look up the hash in the CLI, so they can upgrade the yaml by hand

[lucasgonze]

If you are in agreement with this feature, I am willing to submit a PR implementing it.

[mheap]

@lucasgonze I'm not sure what you're suggesting we implement here. Are you looking for a way to specify a specific version of a dependency, or to update the hash in a workflow for an existing pinned dependency?

[lucasgonze]

Let's say you have this:

uses: DoozyX/clang-format-lint-action@9ea72631b74e61ce337d0839a90e76180e997283 # [email protected]

and there exists a 0.14 with hash 1234567.

You issue this command:

node bin.js --update DoozyX/[email protected]

Then the yaml file changes to:

uses: DoozyX/clang-format-lint-action@1234567 # [email protected]

As a simplification, the CLI might simply report on the hash at a given version, in order to save the work of looking up the tag on Github. So this command:

node bin.js --lookup DoozyX/[email protected]

Would return this in the shell:

1234567

[mheap]

Thanks for the examples, it makes it much clearer.

What are the benefits of adding support for node bin.js --update DoozyX/[email protected] in addition to updating the YAML to uses: DoozyX/[email protected] then re-running bin.js? This would look up the hash for the new version provided (or you could update [email protected] to [email protected] and re-run bin.js and it would update the hash too

[lucasgonze]

My intention with this is to avoid modifying hashes apart from the one named in the parameter.

The reason I would want to only touch the one item is concern that other items might be iterated to a hash that hadn't been vetted, and this would reduce the security of pinning by hash to the same level as pinning by version.

Am I understanding this right?

[mheap]

Yep, that's how it would work today.

We currently have an --allow flag to ignore specific actions from being pinned. Would adding an --only flag enable your use case?

# Update a single action
./bin.js --only  DoozyX/clang-format-lint-action

# Or update everything by a user/org
./bin.js --only DoozyX/*

This would pull the latest hash for the version specified in the pin@main comment. If you wanted to manually update the version that you're pinning to, you'd have to update the YAML file.

[lucasgonze]

--only would do the job.

I also like the "everything by a user/org" idea, because it allows for very trusted orgs like actions/.

[lucasgonze]

FYI: my PR for this feature is not yet ready, but I have submitted a couple other trivial features that became useful during development.

[zeisss]

Slightly off-topic, but github's Dependabot can not update github actions pinned by SHA if there is an appropriately formatted comment. See https://github.blog/changelog/2022-10-31-dependabot-now-updates-comments-in-github-actions-workflows-referencing-action-versions/