Feature: support GitHub enterprise

[marcellodesales]

🎉 Support Github Enterprise Server/Cloud

• Just using the env.GITHUB_API_SERVER in case it's provided for ALL API calls without any fallback
• Use the config property as first precedence when configured through a config file
• Added capabilities to support a more granular approach in Github Pull Requests:
  • strict files list from the PR

🐛 Bugfixes

• The CLI was incorrectly handling the restrictions of owners...

📸 Screenshots

• The full Github Suggested Changes, supported from Github Enterprise 3.18.x forward, is fully supported

Note

• There's a list of 50 files to be reported in the PR with reviewdog.
• If the list is larger than that, the Github Suggested Changes will NOT Show up

Here's an example on Github Enterprise Server, bypassing the ReviewDog's API Token and using the Github Actions approach:

Ticket

• Fixes requirement at Github Enterprise Support #19

✅ Test Cases

• Updated with the verification of the new configs

📚 Docs

• Adding remarks
• Show config examples for the new config section

⌨️ Tests

• Setup

go install ./...

$ go env GOBIN GOPATH

/Users/mdesales/go

```console
$  /Users/mdesales/go/bin/gha-fix pin --help
Pin GitHub Actions used in workflow files (.yml or .yaml) to specific commit SHAs.

This command scans GitHub Actions in workflow files and replaces references like 'owner/repo@v1'
with specific commit SHAs like 'owner/repo@8843d7f53bd34e3b78f2acee556ba5d53feae7c4'.

Usage:
  pin [file1 file2 ...]

If no files are specified, all workflow files (.yml or .yaml) in the current directory
and subdirectories will be processed.

You can customize the behavior with the following options:
  --ignore-owners: Skip actions from specific owners (e.g., "actions,github")
  --ignore-repos: Skip specific repositories (e.g., "actions/checkout,docker/login-action")
  --strict-pinning-202508: Enable strict SHA pinning for composite actions (GitHub's SHA pinning enforcement policy)
  --api-server: Full GitHub API base URL (e.g., https://github.enterprise.company.com/api/v3/)

The --strict-pinning-202508 option implements support for GitHub's SHA pinning enforcement policy
announced in August 2025. When enabled:
  - Composite actions (e.g., actions/checkout@v4) will be pinned to SHAs even if owner is in ignore-owners
  - Reusable workflows (e.g., org/repo/.github/workflows/build.yml@main) still respect ignore-owners

This helps organizations comply with GitHub's security policies while maintaining flexibility
for reusable workflows. See: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/

Global options:
  --ignore-dirs: Skip specific directories when searching for workflow files (e.g., "node_modules,dist")

Note: GITHUB_TOKEN environment variable is required to fetch tags and commit SHAs from GitHub.

Usage:
  gha-fix pin [flags]

Flags:
      --api-server string                Full GitHub API base URL (e.g., https://github.enterprise.company.com/api/v3). When specified, you must provide 'github-enterprise-token'
      --github-enterprise-token string   GitHub Enterprise token for accessing the configured --api-server (can also be set via GITHUB_ENTERPRISE_TOKEN env var or pin.github-enterprise-token in config)
      --github-token string              GitHub token for accessing GitHub.com API (can also be set via GITHUB_TOKEN env var or pin.github-token in config)
  -h, --help                             help for pin
      --ignore-owners strings            Comma-separated list of owners to ignore
      --ignore-repos strings             Comma-separated list of repos to ignore in format owner/repo
      --strict-pinning-202508            Enable strict SHA pinning for composite actions (GitHub's SHA pinning enforcement policy)

Global Flags:
  -c, --config string         config file (default is ./gha-fix.yaml)
      --ignore-dirs strings   Comma-separated list of directory names to ignore when searching for workflow files (default [.git,node_modules,dist,out,vendor,.idea,.vscode,bin,build,tmp,coverage,.cache,__pycache__])
  -l, --log-level string      set log level (debug, info, warn, error) (default "info")

$ /Users/mdesales/go/bin/gha-fix pin --api-server https://github.company.com/api/v3 --github-enterprise-token ghp_gU********es
2025-12-30 17:31:15.067 INF no changes needed. all GitHub Actions are already pinned or no actions found.

⌨️ Test with wrong token

$ /Users/mdesales/go/bin/gha-fix pin --api-server https://github.company.com/api/v3 --github-token ghp_gUes
2025-12-30 17:29:21.030 ERR GitHub Enterprise token is required when using --api-server. Set --github-enterprise-token, pin.github-enterprise-token, or GITHUB_ENTERPRISE_TOKEN.

$ /Users/mdesales/go/bin/gha-fix pin --api-server https://github.company.com/api/v3 --github-enterprise-token ghp_g*****Ues
2025-12-30 13:29:46.107 ERR failed to pin actions error=failed to process file: action.yaml: failed to replace actions in file: action.yaml: failed to resolve version for seceng-devsecops-platform/wearerequired-slack-messaging-action@v3.0.0: failed to list tags for seceng-devsecops-platform/wearerequired-slack-messaging-action: GET https://github.company.com/api/v3/repos/seceng-devsecops-platform/wearerequired-slack-messaging-action/tags?per_page=100: 403  []

⌨️ Tests without Github.com token

• It may fail depending on your IP address
• It might just fail with a bad credential

$ /Users/mdesales/go/bin/gha-fix pin --api-server https://git.viasat.com/api/v3 --github-enterprise-token ghp_g******TUes --log-level debug
2025-12-30 15:58:05.929 DBG searching for workflow files to process
2025-12-30 15:58:05.931 DBG skipping directory path=build name=build
2025-12-30 15:58:05.937 DBG found workflow files count=15
2025-12-30 15:58:05.937 DBG processing file path=custom/load-mapped-repos-to-matrix/action.yaml
2025-12-30 15:58:05.940 DBG processing file path=docker/prisma-cloud-scan-reporter/action.yaml
2025-12-30 15:58:05.945 DBG processing file path=docker/sbom-reporter/action.yaml
2025-12-30 15:58:05.951 DBG processing file path=github/check-runs-create/action.yaml
2025-12-30 15:58:05.954 DBG processing file path=github/check-runs-synchronized/action.yaml
2025-12-30 15:58:05.958 DBG processing file path=github/check-runs-terminate/action.yaml
2025-12-30 15:58:05.961 DBG processing file path=github/ghas-dependabot-metadata/action.yaml
2025-12-30 15:58:05.967 DBG fetching tags for version resolution owner=actions repo=checkout page=0
2025-12-30 15:58:07.101 DBG fetching tags for version resolution owner=dependabot repo=fetch-metadata page=0
2025-12-30 15:58:07.430 DBG fallback to github.com owner=dependabot repo=fetch-metadata page=0
2025-12-30 15:58:08.449 ERR failed to pin actions error=failed to process file: github/ghas-dependabot-metadata/action.yaml: failed to replace actions in file: github/ghas-dependabot-metadata/action.yaml: failed to resolve version for dependabot/fetch-metadata@v2.3.0: failed to list tags for dependabot/fetch-metadata: GET https://api.github.com/repos/dependabot/fetch-metadata/tags?per_page=100: 401 Bad credentials []

⌨️ Tests with fallback

• When a github.com token is not provided, then the pin may also fail due to the fact of a rate limit...
• The example is with the dependabot action, which is NOT mirrored in Github Enterprise servers... Then, API calls to https://api.github.com/repos/dependabot/fetch-metadata/tags may also be throttled for a developer without an GITHUB_TOKEN.
• Actions from mirror repos, custom reusable actions included
• Actions that are NOT mirrored, and are checked with the github.com fallback

$ /Users/mdesales/go/bin/gha-fix pin --api-server https://github.company.com/api/v3 --github-enterprise-token ghp_gY***TUes --log-level debug
2025-12-30 15:58:05.929 DBG searching for workflow files to process
2025-12-30 15:58:05.931 DBG skipping directory path=build name=build
2025-12-30 15:58:05.937 DBG found workflow files count=15
2025-12-30 15:58:05.937 DBG processing file path=custom/load-mapped-repos-to-matrix/action.yaml
2025-12-30 15:58:05.940 DBG processing file path=docker/prisma-cloud-scan-reporter/action.yaml
2025-12-30 15:58:05.945 DBG processing file path=docker/sbom-reporter/action.yaml
2025-12-30 15:58:05.951 DBG processing file path=github/check-runs-create/action.yaml
2025-12-30 15:58:05.954 DBG processing file path=github/check-runs-synchronized/action.yaml
2025-12-30 15:58:05.958 DBG processing file path=github/check-runs-terminate/action.yaml
2025-12-30 15:58:05.961 DBG processing file path=github/ghas-dependabot-metadata/action.yaml
2025-12-30 15:58:05.967 DBG fetching tags for version resolution owner=actions repo=checkout page=0
2025-12-30 15:58:07.101 DBG fetching tags for version resolution owner=dependabot repo=fetch-metadata page=0
2025-12-30 15:58:07.430 DBG fallback to github.com owner=dependabot repo=fetch-metadata page=0
2025-12-30 15:58:08.449 ERR failed to pin actions error=failed to process file: github/ghas-dependabot-metadata/action.yaml: failed to replace actions in file: github/ghas-dependabot-metadata/action.yaml: failed to resolve version for dependabot/fetch-metadata@v2.3.0: failed to list tags for dependabot/fetch-metadata: GET https://api.github.com/repos/dependabot/fetch-metadata/tags?per_page=100: 401 Bad credentials []

• When the token is then provided for both the Enterprise and Github.com, then patching is always guaranteed as the Github.com Token rate limit is also risen.

$ /Users/mdesales/go/bin/gha-fix pin --api-server https://github.company.com/api/v3 --github-enterprise-token ghp_g****TUes --log-level debug --github-token ghp_5****3My1
2025-12-30 15:59:09.794 DBG searching for workflow files to process
2025-12-30 15:59:09.797 DBG skipping directory path=build name=build
2025-12-30 15:59:09.803 DBG found workflow files count=15
2025-12-30 15:59:09.803 DBG processing file path=custom/load-mapped-repos-to-matrix/action.yaml
2025-12-30 15:59:09.803 DBG processing file path=docker/prisma-cloud-scan-reporter/action.yaml
2025-12-30 15:59:09.804 DBG processing file path=docker/sbom-reporter/action.yaml
2025-12-30 15:59:09.804 DBG processing file path=github/check-runs-create/action.yaml
2025-12-30 15:59:09.805 DBG processing file path=github/check-runs-synchronized/action.yaml
2025-12-30 15:59:09.806 DBG processing file path=github/check-runs-terminate/action.yaml
2025-12-30 15:59:09.806 DBG processing file path=github/ghas-dependabot-metadata/action.yaml
2025-12-30 15:59:09.807 DBG fetching tags for version resolution owner=actions repo=checkout page=0
2025-12-30 15:59:10.742 DBG fetching tags for version resolution owner=dependabot repo=fetch-metadata page=0
2025-12-30 15:59:11.037 DBG fallback to github.com owner=dependabot repo=fetch-metadata page=0
2025-12-30 15:59:12.140 DBG fetching tags for version resolution owner=actions repo=github-script page=0
2025-12-30 15:59:12.489 INF file updated path=github/ghas-dependabot-metadata/action.yaml
2025-12-30 15:59:12.489 DBG processing file path=github/ghas-enablement-status/action.yaml
2025-12-30 15:59:12.511 INF file updated path=github/ghas-enablement-status/action.yaml
2025-12-30 15:59:12.511 DBG processing file path=github/mermaid-diagrams/gh-action/action.yaml
2025-12-30 15:59:12.529 INF file updated path=github/mermaid-diagrams/gh-action/action.yaml
2025-12-30 15:59:12.529 DBG processing file path=github/workflow-run-logs/action.yaml
2025-12-30 15:59:12.535 DBG processing file path=github/workflow-run-logs-grep/action.yaml
2025-12-30 15:59:12.540 DBG fetching tags for version resolution owner=seceng-devsecops-platform repo=qoomon-actions--context page=0
2025-12-30 15:59:12.881 DBG fetching commit SHA for branch owner=seceng-devsecops-platform repo=devsecops-platform-github-workflows ref=main
2025-12-30 15:59:13.221 INF file updated path=github/workflow-run-logs-grep/action.yaml
2025-12-30 15:59:13.221 DBG processing file path=messaging/slack-notification/action.yaml
2025-12-30 15:59:13.226 DBG fetching tags for version resolution owner=seceng-devsecops-platform repo=wearerequired-slack-messaging-action page=0
2025-12-30 15:59:13.549 INF file updated path=messaging/slack-notification/action.yaml
2025-12-30 15:59:13.549 DBG processing file path=messaging/slack-notification/arc_harden_runner_values.yaml
2025-12-30 15:59:13.550 DBG processing file path=platform/core/set-base-values/action.yaml
2025-12-30 15:59:13.553 DBG processing file path=platform/core/set-docker-image-settings/action.yaml
2025-12-30 15:59:13.557 INF successfully pinned GitHub Actions to specific commit SHAs changed=5

• Here's a full diff example where mirror actions are fetched locally
  • actions/checkout

diff --git a/actions/custom/load-mapped-repos-to-matrix/action.yaml b/actions/custom/load-mapped-repos-to-matrix/action.yaml
index 180d4ac..91018fe 100644
--- a/actions/custom/load-mapped-repos-to-matrix/action.yaml
+++ b/actions/custom/load-mapped-repos-to-matrix/action.yaml
@@ -21,7 +21,7 @@ runs:
   using: composite
   steps:
     - name: Checkout the customer .github repo
-      uses: actions/checkout@v4.2.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Read the entries in ${{ inputs.mirrored-repos-map-file }}
       shell: bash
diff --git a/actions/docker/prisma-cloud-scan-reporter/action.yaml b/actions/docker/prisma-cloud-scan-reporter/action.yaml
index 7171310..9d8060b 100644
--- a/actions/docker/prisma-cloud-scan-reporter/action.yaml
+++ b/actions/docker/prisma-cloud-scan-reporter/action.yaml
@@ -190,7 +190,7 @@ runs:
         fi
 
     - name: Add Prisma Cloud PR Comment
-      uses: seceng-devsecops-platform/marocchino-sticky-pull-request-comment-action@v2
+      uses: seceng-devsecops-platform/marocchino-sticky-pull-request-comment-action@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
       if: ${{ steps.scan-check.outputs.scan-report-generated == 'true' }}
       with:
         header: prisma-scan-result-${{ inputs.docker-image-repo-tag }}
diff --git a/actions/docker/sbom-reporter/action.yaml b/actions/docker/sbom-reporter/action.yaml
index 3268142..522a708 100644
--- a/actions/docker/sbom-reporter/action.yaml
+++ b/actions/docker/sbom-reporter/action.yaml
@@ -135,7 +135,7 @@ runs:
         fi
 
     - name: Add Docker SBOM PR Comment
-      uses: seceng-devsecops-platform/marocchino-sticky-pull-request-comment-action@v2
+      uses: seceng-devsecops-platform/marocchino-sticky-pull-request-comment-action@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
       if: ${{ steps.sbom-check.outputs.sbom-generated == 'true' && inputs.add-comment-to-current-pr == 'true' }}
       with:
         header: sbom-report-${{ inputs.docker-image-repo-tag }}
diff --git a/actions/github/check-runs-synchronized/action.yaml b/actions/github/check-runs-synchronized/action.yaml
index 939cb7a..efd8c1c 100644
--- a/actions/github/check-runs-synchronized/action.yaml
+++ b/actions/github/check-runs-synchronized/action.yaml
@@ -44,7 +44,7 @@ runs:
       shell: bash
 
     - name: Synchronize on all workflows in the current PR with currently defined PR checks
-      uses: seceng-devsecops-platform/wechuli-allcheckspassed@v2.1.0
+      uses: seceng-devsecops-platform/wechuli-allcheckspassed@f423b273f5fdf73582e41f8f6f0f204d69c27379 # v2.1.0
       with:
           token: ${{ inputs.github-token }}
           # https://github.com/marketplace/actions/allcheckspassed#fail-fast
diff --git a/actions/github/ghas-dependabot-metadata/action.yaml b/actions/github/ghas-dependabot-metadata/action.yaml
index ccf6b1d..5cec368 100644
--- a/actions/github/ghas-dependabot-metadata/action.yaml
+++ b/actions/github/ghas-dependabot-metadata/action.yaml
@@ -25,11 +25,11 @@ runs:
   using: composite
   steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
     
     - name: Dependabot metadata
       id: metadata
-      uses: dependabot/fetch-metadata@v2.3.0
+      uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7 # v2.3.0
       with:
         github-token: "${{ inputs.github-token }}"
         # Warning: Dependabot's commit signature is not verified, refusing to proceed.
@@ -76,7 +76,7 @@ runs:
     
     - name: Add PR comment with metadata
       id: pr-metadata
-      uses: actions/github-script@v7
+      uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
       with:
         github-token: ${{ inputs.github-token }}
         script: |
diff --git a/actions/github/ghas-enablement-status/action.yaml b/actions/github/ghas-enablement-status/action.yaml
index c6b718f..fdf3160 100644
--- a/actions/github/ghas-enablement-status/action.yaml
+++ b/actions/github/ghas-enablement-status/action.yaml
@@ -25,7 +25,7 @@ runs:
   using: composite
   steps:
     - name: Check if GHAS is enabled
-      uses: actions/github-script@v7
+      uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
       id: status
       with:
         github-token: ${{ inputs.github-token }}
diff --git a/actions/github/mermaid-diagrams/gh-action/action.yaml b/actions/github/mermaid-diagrams/gh-action/action.yaml
index 457d3fc..a89919b 100644
--- a/actions/github/mermaid-diagrams/gh-action/action.yaml
+++ b/actions/github/mermaid-diagrams/gh-action/action.yaml
@@ -37,7 +37,7 @@ runs:
   steps:
     - name: Convert action to Mermaid + Usage
       id: action-diagram
-      uses: actions/github-script@v7
+      uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
       env:
         ORG_REPO_URL: ${{ inputs.org-repo-url }}
         TARGET_REF: ${{ inputs.ref }}
diff --git a/actions/github/workflow-run-logs-grep/action.yaml b/actions/github/workflow-run-logs-grep/action.yaml
index 472b2fc..c74a5cc 100644
--- a/actions/github/workflow-run-logs-grep/action.yaml
+++ b/actions/github/workflow-run-logs-grep/action.yaml
@@ -57,7 +57,7 @@ runs:
   steps:
     - name: Fetch additional workflow properties
       id: workflow-metadata
-      uses: seceng-devsecops-platform/qoomon-actions--context@v4
+      uses: seceng-devsecops-platform/qoomon-actions--context@33b43056fae95271265b29b702dcf5ea3f7708b2 # v4.0.3
 
     - name: View Envs and Outputs
       shell: bash
@@ -74,7 +74,7 @@ runs:
 
     - name: Retrieve the logs from the workflow
       id: workflow-logs
-      uses: seceng-devsecops-platform/devsecops-platform-github-workflows/actions/github/workflow-run-logs@main
+      uses: seceng-devsecops-platform/devsecops-platform-github-workflows/actions/github/workflow-run-logs@719d0b2e862fe65704d1ed53048bc8fe93e1dd61 # main
       with:
         github-org-repo: ${{ inputs.github-org-repo }}
         github-token: ${{ inputs.github-token }}
diff --git a/actions/messaging/slack-notification/action.yaml b/actions/messaging/slack-notification/action.yaml
index 05d9f95..855c260 100644
--- a/actions/messaging/slack-notification/action.yaml
+++ b/actions/messaging/slack-notification/action.yaml
@@ -131,7 +131,7 @@ runs:
     - id: message
       if: ${{ inputs.messageId == '' }}
       name: New message without updating
-      uses: seceng-devsecops-platform/wearerequired-slack-messaging-action@v3.0.0
+      uses: seceng-devsecops-platform/wearerequired-slack-messaging-action@b8d341605efb42cb7ca093a88faaffee59176928 # v3.0.0
       with:
         bot_token: ${{ inputs.slackBotToken }}
         channel_id: ${{ inputs.channelId }}
@@ -140,7 +140,7 @@ runs:
     - id: message_update
       if: ${{ inputs.messageId != '' }}
       name: Update existing message ${{ inputs.messageId }}
-      uses: seceng-devsecops-platform/wearerequired-slack-messaging-action@v3.0.0
+      uses: seceng-devsecops-platform/wearerequired-slack-messaging-action@b8d341605efb42cb7ca093a88faaffee59176928 # v3.0.0
       with:
         bot_token: ${{ inputs.slackBotToken }}
         channel_id: ${{ inputs.channelId }}

[marcellodesales]

🔴 Failure in GHES tests

• In the scenario where a workflow is comprised of internally developed actions and OSS versions from verified vendors, this PR failed to resolve the external after a 404 locally (It should assume first the GHES
• There might be a missing Github Token for the public github.com
  • The current assumes GITHUB_TOKEN to be from GHES

Example

• All the repos listed are in GHES
• The failing one is NOT and the 404 should be followed with a request to Github.com

2026-01-28 18:07:55.473 DBG fetching tags for version resolution owner=seceng-devsecops-platform repo=test-summary-action page=0
2026-01-28 18:07:55.558 DBG fetching tags for version resolution owner=actions repo=setup-python page=0
2026-01-28 18:07:55.632 DBG fetching tags for version resolution owner=actions repo=download-artifact page=0
2026-01-28 18:07:55.710 DBG fetching tags for version resolution owner=SonarSource repo=sonarqube-scan-action page=0
2026-01-28 18:07:55.751 ERR failed to pin actions error=failed to process file: .github/workflows/docker-compose-devsecops-test-workflow.yaml: failed to replace actions in file: .github/workflows/docker-compose-devsecops-test-workflow.yaml: failed to resolve version for SonarSource/sonarqube-scan-action@v6.0.0: failed to list tags for SonarSource/sonarqube-scan-action: GET https://git.viasat.com/api/v3/repos/SonarSource/sonarqube-scan-action/tags?per_page=100: 404 Not Found []

[marcellodesales]

✅ GHES fixes in Place + Github Suggested Changes

• The supported changes works in a Github Enterprise server
  • Make sure to provide extra parameters (Github Enterprise Server token - from the PR, and github.com PAT, to avoid throttled responses)