gh-action-pin

README

GitHub Actions Pin Tool

Stability Notice

• Behavior Stability: The CLI's exit codes and file modification behavior are considered stable
• Output Stability: Specific output messages to stdout/stderr may change between versions
• Interface Stability: Command line flags and configuration options are stable

While we strive to maintain compatibility, scripts parsing CLI output should use the exit codes and file changes as their primary integration points.

Example: Fixing Unpinned Actions

Running gh-action-pin --fix on a repository with unpinned actions produces output similar to the following:

Found unpinned actions:
• .github/workflows/checks.yaml:60 - pyright@actions/checkout@v4
• .github/workflows/checks.yaml:25 - format@actions/setup-python@v5
• .github/workflows/checks.yaml:41 - lint@actions/checkout@v4
• .github/workflows/checks.yaml:61 - pyright@astral-sh/setup-uv@v6
• .github/workflows/checks.yaml:83 - test@actions/setup-python@v5
• .github/workflows/checks.yaml:20 - format@actions/checkout@v4
• .github/workflows/checks.yaml:78 - test@actions/checkout@v4
• .github/workflows/checks.yaml:79 - test@astral-sh/setup-uv@v6
• .github/workflows/checks.yaml:93 - test@Upload coverage artifact@actions/upload-artifact@v4
• .github/workflows/checks.yaml:42 - lint@astral-sh/setup-uv@v6
• .github/workflows/checks.yaml:46 - lint@actions/setup-python@v5
• .github/workflows/codeql.yml:72 - analyze@Initialize CodeQL@github/codeql-action/init@v3
• .github/workflows/codeql.yml:100 - analyze@Perform CodeQL Analysis@github/codeql-action/analyze@v3
• .github/workflows/checks.yaml:65 - pyright@actions/setup-python@v5
• .github/workflows/checks.yaml:21 - format@astral-sh/setup-uv@v6
• .github/workflows/codeql.yml:62 - analyze@Checkout repository@actions/checkout@v4

Found 16 unpinned GitHub Actions
.github/workflows/checks.yaml: pinning actions/checkout@v4 to 11bd71901bbe5b1630ceea73d27597364c9af683
.github/workflows/checks.yaml: pinning astral-sh/setup-uv@v6 to f0ec1fc3b38f5e7cd731bb6ce540c5af426746bb
.github/workflows/checks.yaml: pinning actions/setup-python@v5 to a26af69be951a213d495a4c3e4e4022e16d87065
.github/workflows/checks.yaml: pinning actions/checkout@v4 to 11bd71901bbe5b1630ceea73d27597364c9af683
.github/workflows/checks.yaml: pinning astral-sh/setup-uv@v6 to f0ec1fc3b38f5e7cd731bb6ce540c5af426746bb
.github/workflows/checks.yaml: pinning actions/setup-python@v5 to a26af69be951a213d495a4c3e4e4022e16d87065
.github/workflows/checks.yaml: pinning actions/upload-artifact@v4 to ea165f8d65b6e75b540449e92b4886f43607fa02
.github/workflows/checks.yaml: pinning actions/checkout@v4 to 11bd71901bbe5b1630ceea73d27597364c9af683
.github/workflows/checks.yaml: pinning astral-sh/setup-uv@v6 to f0ec1fc3b38f5e7cd731bb6ce540c5af426746bb
.github/workflows/checks.yaml: pinning actions/setup-python@v5 to a26af69be951a213d495a4c3e4e4022e16d87065
.github/workflows/checks.yaml: pinning actions/checkout@v4 to 11bd71901bbe5b1630ceea73d27597364c9af683
.github/workflows/checks.yaml: pinning astral-sh/setup-uv@v6 to f0ec1fc3b38f5e7cd731bb6ce540c5af426746bb
.github/workflows/checks.yaml: pinning actions/setup-python@v5 to a26af69be951a213d495a4c3e4e4022e16d87065
.github/workflows/codeql.yml: pinning actions/checkout@v4 to 11bd71901bbe5b1630ceea73d27597364c9af683
.github/workflows/codeql.yml: pinning github/codeql-action/init@v3 to ff0a06e83cb2de871e5a09832bc6a81e7276941f
.github/workflows/codeql.yml: pinning github/codeql-action/analyze@v3 to ff0a06e83cb2de871e5a09832bc6a81e7276941f
Successfully fixed 16 unpinned actions

Contact

The creator of gh-action-pin can be reached at mads 'at' v42 'dot' dk.