GitHub Action — Ensure SHA Pinned Actions

This GitHub Action (written in JavaScript) allows you to leverage GitHub Actions to ensure that GitHub Actions are pinned to full length commit SHAs. This does not fail for referenced actions in the same repository when using the ./path/to/dir syntax. For more information, see "using third-party actions."

Usage

Pre-requisites

Create a workflow .yml file in your .github/workflows directory. An example workflow is available below. For more information, reference the GitHub Help Documentation for Creating a workflow file.

Inputs

For more information on these inputs, see the Workflow syntax for GitHub Actions

• allowlist: The list of owners or repositories that will be ignored and will not throw an error. Each entry must be on a new line. Optional. Default: `` (deny all). For example,

  allowlist: |
  aws-actions/          # Trust all actions published by aws-actions
  docker/login-action   # Trust docker's login-action only

• dry_run: Set to true to show warnings instead of failing. Optional. Default: false (fail on any error)

Outputs

None. This action will throw an error if it finds any GitHub Action that is not pinned to a full length commit SHAs.

Note: Only the first error encountered will be reported.

Common workflow

Ideally, set this up as an initial job for your workflows. For example:

on: push

name: Continuous Integration

jobs:
  harden_security:
    name: Harden Security
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
      - name: Ensure SHA pinned actions
        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@v2 # Replace this
        with:
          allowlist: |
            aws-actions/
            docker/login-action

Contributing

See the contributing guide for detailed instructions on how to get started with our project.

License

The scripts and documentation in this project are released under the MIT License