Repository files navigation

This GitHub Action (written in JavaScript) allows you to leverage GitHub Actions to ensure that GitHub Actions are pinned to full length commit SHAs. This does not fail for referenced actions in the same repository when using the./path/to/dir syntax. For more information, see "using third-party actions."

Create a workflow.yml file in your.github/workflows directory. Anexample workflow is available below. For more information, reference the GitHub Help Documentation forCreating a workflow file.

For more information on these inputs, see theWorkflow syntax for GitHub Actions

• allowlist: The list of owners or repositories that will be ignored and will not throw an error. Each entry must be on a new line. Optional. Default: `` (deny all). For example,

allowlist:|    aws-actions/          # Trust all actions published by aws-actions    docker/login-action   # Trust docker's login-action only

• dry_run: Set totrue to show warnings instead of failing. Optional. Default:false (fail on any error)

None. This action will throw an error if it finds any GitHub Action that is not pinned to a full length commit SHAs.

Note: Only the first error encountered will be reported.

Ideally, set this up as an initial job for your workflows. For example:

on:pushname:Continuous Integrationjobs:harden_security:name:Harden Securityruns-on:ubuntu-lateststeps:      -name:Checkout codeuses:actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f# v2.3.4      -name:Ensure SHA pinned actionsuses:zgosalvez/github-actions-ensure-sha-pinned-actions@v2# Replace thiswith:allowlist:|            aws-actions/            docker/login-action

Seethe contributing guide for detailed instructions on how to get started with our project.

The scripts and documentation in this project are released under theMIT License