Releases: suzuki-shunsuke/pinact
v0.2.0
Pull Requests | Issues | v0.1.3...v0.2.0
⚠️ Breaking Changes
#439 Ignore action versions other than semver (x.y.z) and short version (v1, v2, ...)
pinact ignores action versions such as main
, master
, foo/v1.0.0
.
Features
#439 Support verifying version annotations
https://github.com/suzuki-shunsuke/pinact/blob/main/docs/codes/001.md
Please see the following code.
- uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v3.5.1
You would assume the version of the action is v3.5.1 because the version annotation is "v3.5.1".
But the actual version is v2.7.0 because "ee0669bd1cc54295c223e0bb666b733df41de1c5" is the commit hash of v2.7.0.
Please check releases.
- https://github.com/actions/checkout/releases/tag/v3.5.1
- https://github.com/actions/checkout/releases/tag/v2.7.0
This indicates version annotations aren't necessarily correct.
Especially, attackers can specify a full commit SHA including a malicious code while setting a safe tag to the version annotation.
If a pull request includes changes of GitHub Actions, you should verify version annotations.
pinact v0.1.3 or newer can verify version annotations using pinact run
's --verify
option.
This verification works only if the version annotation is semver and the version is full commit hash like the above example.
This option gets a full commit hash from a version annotation by GitHub API and compares it with the version.
e.g.
$ pinact run --verify testdata/bar.yaml
ERRO[0000] parse a line action=actions/checkout action_version=ee0669bd1cc54295c223e0bb666b733df41de1c5 commit_hash_of_version_annotation=83b7061638ee4956cf7545a6f7efe594e5ad0247 error="verify the version annotation: action_version must be equal to commit_hash_of_version_annotation" help_docs="https://github.com/suzuki-shunsuke/pinact/blob/main/docs/codes/001.md" pinact_version=0.2.0 program=pinact version_annotation=v3.5.1 workflow_file=testdata/bar.yaml
Note that --verify
option calls GitHub API to verify version annotations, which may cause API rate limiting.
Others
v0.1.3
Pull Requests | Issues | v0.1.2...v0.1.3
Features
#393 #394 Add .github/pinact.yaml
as a default config path @kachick
Others
Update Go 1.20.5 to 1.22.2
v0.1.2-3
v0.1.2-2
v0.1.3-1
Update Go to v1.22.1
#358 Support lines with quotes @kazuki-hanai
v0.1.2
Pull Requests | Issues | v0.1.1...v0.1.2
Features
#99 Support configuration files
#99 Add a subcommand init
to generate a configuration file
About Configuration file, please see Configuration.
- Support ignoring specific actions and reusable workflows
- Support specifying target files by regular expressions
e.g. .pinact.yaml
files:
- pattern: "^\\.github/workflows/.*\\.ya?ml$"
- pattern: "^(.*/)?action\\.ya?ml$"
ignore_actions:
- name: actions/setup-java
- name: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml
Add a subcommand init
to generate a configuration file
$ pinact init # .pinact.yaml is generated.
v0.1.2-1
Pull Requests | Issues | v0.1.1...v0.1.2-1
Changelog
v0.1.1
Pull Requests | Issues | v0.1.0...v0.1.1
🐛 Bug Fixes
#95 #97 Keep lines of 404 actions
#96 #97 Skip actions pinned with full commit hash
Keep lines of 404 actions
AS IS
pinact v0.1.0 has a bug that if some actions are not found, the lines are removed.
$ pinact version
pinact version 0.1.0 (8ccd55944c83ff1f4d738343c28d4a6109246d06)
foo.yaml
name: foo
on: workflow_call
jobs:
foo:
runs-on: ubuntu-latest
steps:
- uses: suzuki-shunsuke/repo-404@83b7061638ee4956cf7545a6f7efe594e5ad0247
$ pinact run foo.yaml
WARN[0000] get a reference error="GET https://api.github.com/repos/suzuki-shunsuke/repo-404/commits/83b7061638ee4956cf7545a6f7efe594e5ad0247: 404 Not Found []" pinact_version=0.1.0 program=pinact workflow_file=foo.yaml
$ git diff foo.yaml
diff --git a/foo.yaml b/foo.yaml
index 7c23799..9ba4f83 100644
--- a/foo.yaml
+++ b/foo.yaml
@@ -4,4 +4,4 @@ jobs:
foo:
runs-on: ubuntu-latest
steps:
- - uses: suzuki-shunsuke/repo-404@83b7061638ee4956cf7545a6f7efe594e5ad0247
+
TO BE
pinact v0.1.1 fixed the bug.
If actions are not found, pinact ignores those actions.
$ pinact run foo.yaml
WARN[0000] get a reference error="GET https://api.github.com/repos/suzuki-shunsuke/repo-404/commits/83b7061638ee4956cf7545a6f7efe594e5ad0247: 404 Not Found []" pinact_version=0.1.1 program=pinact workflow_file=foo.yaml
$ git diff foo.yaml # No change
Skip actions pinned with full commit hash
pinact v0.1.0 has a bug that if some actions are pinned by commit hash but don't have code comment, commit hash are commented.
$ pinact version
pinact version 0.1.0 (8ccd55944c83ff1f4d738343c28d4a6109246d06)
foo.yaml
name: foo
on: workflow_call
jobs:
foo:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@83b7061638ee4956cf7545a6f7efe594e5ad0247
$ pinact run foo.yaml
$ git diff foo.yaml
diff --git a/foo.yaml b/foo.yaml
index a52749f..c4c3f7f 100644
--- a/foo.yaml
+++ b/foo.yaml
@@ -4,4 +4,4 @@ jobs:
foo:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@83b7061638ee4956cf7545a6f7efe594e5ad0247
+ - uses: actions/checkout@83b7061638ee4956cf7545a6f7efe594e5ad0247 # 83b7061638ee4956cf7545a6f7efe594e5ad0247
TO BE
pinact v0.1.1 fixed the bug. pinact skips actions pinned with full commit hash.
$ pinact run foo.yaml
$ git diff foo.yaml # No change
v0.1.0
Pull Requests | Issues | https://github.com/suzuki-shunsuke/pinact/commits/v0.1.0
🎉 First release
v0.1.0-1
Pull Requests | Issues | ...v0.1.0-1
Changelog
- 374a4b1 ci: fix workflow
- 5992f88 test: update testdata
- 6e57e20 docs: update README
- 1e10b5d fix: fix commit hash
- 214e92d test: add testdata
- b801f09 docs: update README
- b025433 docs: update README
- 7a598e2 fix: set log level
- 2206343 test: fix testdata
- e1193e2 ci: merge integration test to test
- 90c124b fix: change log level
- c93fb3d fix: fix get ref parameter
- 3cf3f1b ci: fix workflows
- 863ac71 chore(go): go mod tidy
- e2e55c8 chore(aqua): update aqua/aqua-checksums.json
- 8101e61 fix: change log level
- 878cc0c feat: implement basic function
- fa04239 Initial commit