This GitHub Action (written in JavaScript) allows you to leverage GitHub Actions to ensure that GitHub Actions are pinned to full length commit SHAs. This does not fail for referenced actions in the same repository when using the ./path/to/dir
syntax. For more information, see "using third-party actions."
Create a workflow .yml
file in your .github/workflows
directory. An example workflow is available below. For more information, reference the GitHub Help Documentation for Creating a workflow file.
For more information on these inputs, see the Workflow syntax for GitHub Actions
allowlist
: The list of owners or repositories that will be ignored and will not throw an error. Each entry must be on a new line. Optional. Default: `` (deny all). For example,
allowlist: |
aws-actions/ # Trust all actions published by aws-actions
docker/login-action # Trust docker's login-action only
dry_run
: Set totrue
to show warnings instead of failing. Optional. Default:false
(fail on any error)
None. This action will throw an error if it finds any GitHub Action that is not pinned to a full length commit SHAs.
Note: Only the first error encountered will be reported.
Ideally, set this up as an initial job for your workflows. For example:
on: push
name: Continuous Integration
jobs:
harden_security:
name: Harden Security
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
- name: Ensure SHA pinned actions
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@v2 # Replace this
with:
allowlist: |
aws-actions/
docker/login-action
See the contributing guide for detailed instructions on how to get started with our project.
The scripts and documentation in this project are released under the MIT License