v0.2.0

Pull Requests | Issues | v0.1.3...v0.2.0

⚠️ Breaking Changes

#439 Ignore action versions other than semver (x.y.z) and short version (v1, v2, ...)

pinact ignores action versions such as main, master, foo/v1.0.0.

Features

#439 Support verifying version annotations

https://github.com/suzuki-shunsuke/pinact/blob/main/docs/codes/001.md

Please see the following code.

- uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v3.5.1

You would assume the version of the action is v3.5.1 because the version annotation is "v3.5.1".
But the actual version is v2.7.0 because "ee0669bd1cc54295c223e0bb666b733df41de1c5" is the commit hash of v2.7.0.
Please check releases.

• https://github.com/actions/checkout/releases/tag/v3.5.1
• https://github.com/actions/checkout/releases/tag/v2.7.0

This indicates version annotations aren't necessarily correct.
Especially, attackers can specify a full commit SHA including a malicious code while setting a safe tag to the version annotation.
If a pull request includes changes of GitHub Actions, you should verify version annotations.

pinact v0.1.3 or newer can verify version annotations using pinact run's --verify option.
This verification works only if the version annotation is semver and the version is full commit hash like the above example.
This option gets a full commit hash from a version annotation by GitHub API and compares it with the version.

e.g.

$ pinact run --verify testdata/bar.yaml
ERRO[0000] parse a line                                  action=actions/checkout action_version=ee0669bd1cc54295c223e0bb666b733df41de1c5 commit_hash_of_version_annotation=83b7061638ee4956cf7545a6f7efe594e5ad0247 error="verify the version annotation: action_version must be equal to commit_hash_of_version_annotation" help_docs="https://github.com/suzuki-shunsuke/pinact/blob/main/docs/codes/001.md" pinact_version=0.2.0 program=pinact version_annotation=v3.5.1 workflow_file=testdata/bar.yaml

Note that --verify option calls GitHub API to verify version annotations, which may cause API rate limiting.

Others

#435 #436 #437 Refactoring

v0.1.3

Pull Requests | Issues | v0.1.2...v0.1.3

Features

#393 #394 Add .github/pinact.yaml as a default config path @kachick

Others

Update Go 1.20.5 to 1.22.2

v0.1.2-3

v0.1.2...v0.1.2-3

v0.1.2-2

v0.1.2...v0.1.2-2

v0.1.3-1

v0.1.2...v0.1.3-1

Update Go to v1.22.1
#358 Support lines with quotes @kazuki-hanai

v0.1.2

Pull Requests | Issues | v0.1.1...v0.1.2

Features

#99 Support configuration files
#99 Add a subcommand init to generate a configuration file

About Configuration file, please see Configuration.

• Support ignoring specific actions and reusable workflows
• Support specifying target files by regular expressions

e.g. .pinact.yaml

files:
  - pattern: "^\\.github/workflows/.*\\.ya?ml$"
  - pattern: "^(.*/)?action\\.ya?ml$"

ignore_actions:
  - name: actions/setup-java
  - name: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml

Add a subcommand init to generate a configuration file

$ pinact init # .pinact.yaml is generated.

v0.1.2-1

Pull Requests | Issues | v0.1.1...v0.1.2-1

Changelog

• 2c71268 ci: add a test
• 476c4ce feat: support configuration files
• 46bafa3 Merge pull request #98 from suzuki-shunsuke/renovate/goreleaser-goreleaser-1.x
• 0108f48 chore(aqua): update aqua/aqua-checksums.json
• 461939c chore(deps): update dependency goreleaser/goreleaser to v1.19.2

v0.1.1

Pull Requests | Issues | v0.1.0...v0.1.1

🐛 Bug Fixes

#95 #97 Keep lines of 404 actions
#96 #97 Skip actions pinned with full commit hash

Keep lines of 404 actions

AS IS

pinact v0.1.0 has a bug that if some actions are not found, the lines are removed.

$ pinact version
pinact version 0.1.0 (8ccd55944c83ff1f4d738343c28d4a6109246d06)

foo.yaml

name: foo
on: workflow_call
jobs:
  foo:
    runs-on: ubuntu-latest
    steps:
      - uses: suzuki-shunsuke/repo-404@83b7061638ee4956cf7545a6f7efe594e5ad0247

$ pinact run foo.yaml 
WARN[0000] get a reference                               error="GET https://api.github.com/repos/suzuki-shunsuke/repo-404/commits/83b7061638ee4956cf7545a6f7efe594e5ad0247: 404 Not Found []" pinact_version=0.1.0 program=pinact workflow_file=foo.yaml

$ git diff foo.yaml 
diff --git a/foo.yaml b/foo.yaml
index 7c23799..9ba4f83 100644
--- a/foo.yaml
+++ b/foo.yaml
@@ -4,4 +4,4 @@ jobs:
   foo:
     runs-on: ubuntu-latest
     steps:
-      - uses: suzuki-shunsuke/repo-404@83b7061638ee4956cf7545a6f7efe594e5ad0247
+

TO BE

pinact v0.1.1 fixed the bug.
If actions are not found, pinact ignores those actions.

$ pinact run foo.yaml 
WARN[0000] get a reference                               error="GET https://api.github.com/repos/suzuki-shunsuke/repo-404/commits/83b7061638ee4956cf7545a6f7efe594e5ad0247: 404 Not Found []" pinact_version=0.1.1 program=pinact workflow_file=foo.yaml

$ git diff foo.yaml # No change

Skip actions pinned with full commit hash

pinact v0.1.0 has a bug that if some actions are pinned by commit hash but don't have code comment, commit hash are commented.

$ pinact version
pinact version 0.1.0 (8ccd55944c83ff1f4d738343c28d4a6109246d06)

foo.yaml

name: foo
on: workflow_call
jobs:
  foo:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@83b7061638ee4956cf7545a6f7efe594e5ad0247

$ pinact run foo.yaml 

$ git diff foo.yaml
diff --git a/foo.yaml b/foo.yaml
index a52749f..c4c3f7f 100644
--- a/foo.yaml
+++ b/foo.yaml
@@ -4,4 +4,4 @@ jobs:
   foo:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@83b7061638ee4956cf7545a6f7efe594e5ad0247
+      - uses: actions/checkout@83b7061638ee4956cf7545a6f7efe594e5ad0247 # 83b7061638ee4956cf7545a6f7efe594e5ad0247

TO BE

pinact v0.1.1 fixed the bug. pinact skips actions pinned with full commit hash.

$ pinact run foo.yaml
$ git diff foo.yaml # No change

v0.1.0

Pull Requests | Issues | https://github.com/suzuki-shunsuke/pinact/commits/v0.1.0

🎉 First release

v0.1.0-1

Pull Requests | Issues | ...v0.1.0-1

Changelog

• 374a4b1 ci: fix workflow
• 5992f88 test: update testdata
• 6e57e20 docs: update README
• 1e10b5d fix: fix commit hash
• 214e92d test: add testdata
• b801f09 docs: update README
• b025433 docs: update README
• 7a598e2 fix: set log level
• 2206343 test: fix testdata
• e1193e2 ci: merge integration test to test
• 90c124b fix: change log level
• c93fb3d fix: fix get ref parameter
• 3cf3f1b ci: fix workflows
• 863ac71 chore(go): go mod tidy
• e2e55c8 chore(aqua): update aqua/aqua-checksums.json
• 8101e61 fix: change log level
• 878cc0c feat: implement basic function
• fa04239 Initial commit