Skip to content

suzuki-shunsuke/pinact-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

755 Commits
.github
.github
 
 
aqua
aqua
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
action.yaml
action.yaml
 
 
renovate.json5
renovate.json5
 
 

Repository files navigation

pinact-action

License | action.yaml

pinact-action is a GitHub Actions to pin GitHub Actions and reusable workflows by pinact. This action fixes files \.github/workflows/[^/]+\.ya?ml$ and ^(.*/)?action\.ya?ml? and pushes a commit to a remote branch.

image

image

If you don't want to push a commit, this action can also only validate files. In this case, if actions aren't pinned CI fails.

image

GitHub Access Token

You can use the following things:

  • 👍 GitHub App Installation access token: We recommend this
  • 👎 GitHub Personal Access Token: This can't create verified commits
  • 👎 ${{secrets.GITHUB_TOKEN}}: This can't trigger new workflow runs.

https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow

When you use the repository's GITHUB_TOKEN to perform tasks, events triggered by the GITHUB_TOKEN, with the exception of workflow_dispatch and repository_dispatch, will not create a new workflow run.

Required permissions

contents:write is required. Furthermore, if you want to fix workflow files, workflows:write is also required. If private actions are used, the permission contents:read to access those repositories are also required.

How To Use

All inputs are optional.

name: Pinact
on:
  pull_request: {}
jobs:
  pinact:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

      - name: Pin actions
        uses: suzuki-shunsuke/pinact-action@d735505f3decf76fca3fdbb4c952e5b3eba0ffdd # v0.1.2

By default, this action uses ${{github.token}} to create a commit. But we recommend GitHub App because ${{github.token}} doesn't trigger a new workflow run.

You can create a GitHub App installation access token and pass it to pinact-action yourself, but you can also pass a pair of GitHub App ID and private key. Then pinact-action creates a GitHub App installation access token with minimum repositories and permissions.

- uses: suzuki-shunsuke/pinact-action@d735505f3decf76fca3fdbb4c952e5b3eba0ffdd # v0.1.2
  with:
    app_id: ${{secrets.APP_ID}}
    app_private_key: ${{secrets.APP_PRIVATE_KEY}}

skip_push

If you don't want to push a commit, this action can also only validate files. In this case, if actions aren't pinned CI fails.

- uses: suzuki-shunsuke/pinact-action@d735505f3decf76fca3fdbb4c952e5b3eba0ffdd # v0.1.2
  with:
    skip_push: "true"

About

GitHub Actions to pin GitHub Actions by pinact

Resources

Readme

License

MIT license
Activity

Stars

35 stars

Watchers

2 watching

Forks

3 forks
Report repository

Releases 8

v1.0.0 Latest
Mar 30, 2025
+ 7 releases

Packages

No packages published

Used by 115

  • @mikeller
  • @kimulaco
  • @Lucky3028
  • @wadackel
  • @clsung
  • @gr1m0h
  • @ConnectionMaster
  • @nakamasato
+ 107

Contributors 5