Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

After tj-actions hack, I put together a little tool to go through all of github actions in repository to replace them with commit hash of the version

https://github.com/santrancisco/pmw

It has a few "features" which allowed me to go through a repository quickly:

- It prompts user and recommend the hash, it also provides user the url to the current tag/action to double check the hash value matches and review the code if needed

- Once you accept a change, it will keep that in a json file so future exact vesion of the action will be pinned as well and won't be reprompted.

- It let you also ignore version tag for github actions coming from well-known, reputational organisation (like "actions" belong to github) - as you may want to keep updating them so you receive hotfix if something not backward compatible or security fixes.

This way i have full control of what to pin and what not and then this config file is stored in .github folder so i can go back, rerun it again and repin everything.



This is good, just bear in mind that if you put the hash of an external composite action and that action pulls on another one without a hash, you're still vulnerable on that transitive dependency.


oh damn - that is a great point! thanks matey!


I don't know if your tool already does this but it would be helpful if there is an option to output the version as a comment of the form

action@commit # semantic version

Makes it easy to quickly determine what version the hash corresponds to. Thanks.


Yeap - that is exactly what it does ;)

Example:

uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 #v1.16.0

And for anything that previously had @master, it becomes the following with the hash on the day it was pinned with "master-{date}" as comment:

uses: ravsamhq/notify-slack-action@b69ef6dd56ba780991d8d48b61d94682c5b92d45 #master-2025-04-04


I've been using https://github.com/stacklok/frizbee to lock down to commit hash. I wonder how this tool compares to that.


Having control is good, but reading all the code yourself seems unrealistic. We need something like crev or cargo-vet.


Yea hence it prompts for you to check the first time but once you verify the hash for particular version of action, it would automatically apply the hash to that same version of action everywhere. Also you can reuse the same config for all other repos so it is only tedious the first time but after that it is pretty quick to apply to the rest of the org :)

The tool is indeed meant for semi-auto flow to ensure human eye looked at the action being used.


renovate can be configured to do that too :)


Do you have an example config?

Trying to get the same behavior with renovate :)


here's one that i use https://github.com/tuananh/hyper-mcp/blob/main/.github/renov...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: