pinact-action is a GitHub Actions to pin GitHub Actions and reusable workflows by pinact.
This action fixes files \.github/workflows/[^/]+\.ya?ml$ and ^(.*/)?action\.ya?ml? and pushes a commit to a remote branch.
If you don't want to push a commit, this action can also only validate files. In this case, if actions aren't pinned CI fails.
You can use the following things:
- ๐ GitHub App Installation access token: We recommend this
- ๐ GitHub Personal Access Token: This can't create verified commits
- ๐
${{secrets.GITHUB_TOKEN}}- This can't update workflows.
- This can't trigger new workflow runs.
When you use the repository's GITHUB_TOKEN to perform tasks, events triggered by the GITHUB_TOKEN, with the exception of workflow_dispatch and repository_dispatch, will not create a new workflow run.
contents:write is required.
Furthermore, if you want to fix workflow files, workflows:write is also required.
If private actions are used, the permission contents:read to access those repositories are also required.
If review is enabled, pull_requests:write is also required.
name: Pinact
on:
pull_request: {}
jobs:
pinact:
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false
- name: Pin actions
uses: suzuki-shunsuke/pinact-action@28aeb220eb3252ad0d4422dd5d9368e925acbd8d # v1.3.0
with:
app_id: ${{vars.APP_ID}}
app_private_key: ${{secrets.APP_PRIVATE_KEY}}uses: suzuki-shunsuke/pinact-action@28aeb220eb3252ad0d4422dd5d9368e925acbd8d # v1.3.0
with:
github_token: ${{secrets.BOT_GITHUB_TOKEN}}uses: suzuki-shunsuke/pinact-action@28aeb220eb3252ad0d4422dd5d9368e925acbd8d # v1.3.0
with:
# For pinact run (contents:read for all actions is required)
github_token: ${{secrets.BOT_GITHUB_TOKEN}}
# For creating commits (contents:write for the current repository is required)
github_token_for_push: ${{secrets.BOT_GITHUB_TOKEN_FOR_PUSH}}If you don't want to push a commit, this action can also only validate files. In this case, if actions aren't pinned CI fails.
- uses: suzuki-shunsuke/pinact-action@28aeb220eb3252ad0d4422dd5d9368e925acbd8d # v1.3.0
with:
skip_push: "true"See also https://github.com/reviewdog/reviewdog
- uses: suzuki-shunsuke/pinact-action@28aeb220eb3252ad0d4422dd5d9368e925acbd8d # v1.3.0
with:
review: "true"
github_token: ${{secrets.BOT_GITHUB_TOKEN}}
# Optional
reviewdog_fail_level: none # The default is "error"
reviewdog_filter_mode: nofilter # The default is "added"You can also use the different access token for review:
contents:read and pull_requests:write permissions are required.
- uses: suzuki-shunsuke/pinact-action@28aeb220eb3252ad0d4422dd5d9368e925acbd8d # v1.3.0
with:
review: "true"
github_token: ${{secrets.BOT_GITHUB_TOKEN}}
github_token_for_review: ${{secrets.BOT_GITHUB_TOKEN_FOR_REVIEW}}pinact-action >= v1.3.0 #854
As of v1.3.0, pinact-action can create commits via Securefix Action securely. About Securefix Action, please see the document of Securefix Action.
- uses: suzuki-shunsuke/pinact-action@28aeb220eb3252ad0d4422dd5d9368e925acbd8d # v1.3.0
with:
securefix_app_id: ${{vars.SECUREFIX_ACTION_CLIENT_APP_ID}}
securefix_app_private_key: ${{secrets.SECUREFIX_ACTION_CLIENT_APP_PRIVATE_KEY}}
securefix_server_repository: securefix-serverThese options are optional.
- uses: suzuki-shunsuke/pinact-action@28aeb220eb3252ad0d4422dd5d9368e925acbd8d # v1.3.0
with:
skip_push: "true"
update: "true"
verify: "true"
min_age: "7"
includes: |
actions/.*
suzuki-shunsuke/.*
excludes: |
# lines starting with # are ignored
actions/checkoutpinact-action's main branch and feature branches don't work. Please see the document.