Skip to content

feat: add pinact-action to automate GitHub Actions SHA pinning (do not merge) #802

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 7 commits into
base: main
Choose a base branch
from
+115 −0
Draft

feat: add pinact-action to automate GitHub Actions SHA pinning (do not merge) #802

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
362a8ec
feat: pin sha for github actions
wennergr Sep 24, 2025
9df63fc
Apply suggestion from @aaronsteers
aaronsteers Sep 24, 2025
b83d68e
docs: add blub to CONTRIBUTING.md
aaronsteers Sep 24, 2025
1a0c230
added pinact example
wennergr Sep 24, 2025
3e67129
feat: add poe-based pinact automation for GitHub Actions SHA pinning
devin-ai-integration[bot] Sep 24, 2025
8f87ad5
fix: update pinact CLI flags and pin poe-command-processor action
devin-ai-integration[bot] Sep 24, 2025
e5126a2
Merge branch 'main' into devin/1758749777-add-pinact-automation
aaronsteers Oct 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions .github/workflows/gh-ci-fix-command.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
name: On-Demand GitHub Actions Pin Fix

on:
workflow_dispatch:
inputs:
pr:
description: 'PR Number'
type: string
required: true
comment-id:
description: 'Comment ID (Optional)'
type: string
required: false

permissions:
contents: write
workflows: write
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [actionlint] reported by reviewdog 🐶
unknown permission scope "workflows". all available permission scopes are "actions", "attestations", "checks", "contents", "deployments", "discussions", "id-token", "issues", "packages", "pages", "pull-requests", "repository-projects", "security-events", "statuses" [permissions]

pull-requests: write
Comment on lines +15 to +18
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Invalid permission scope prevents workflow linting
workflows: write isn’t a recognized permission (actionlint is already failing this). Could we drop or replace it with a valid scope (likely just rely on contents: write) so the workflow passes lint and can run, wdyt?

🤖 Prompt for AI Agents 
.github/workflows/gh-ci-fix-command.yml lines 15-18: the permissions block
contains an invalid scope "workflows: write" which causes actionlint to fail;
remove the "workflows: write" entry (or replace it with a valid permission if
you explicitly need one) and keep "contents: write" (and "pull-requests: write"
if required) so the YAML is valid and the workflow lints and runs.


env:
AIRBYTE_ANALYTICS_ID: ${{ vars.AIRBYTE_ANALYTICS_ID }}

jobs:
gh-ci-fix:
name: Pin GitHub Actions
runs-on: ubuntu-latest
steps:
- name: Authenticate as GitHub App
uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
id: get-app-token
with:
owner: "airbytehq"
repositories: "PyAirbyte"
app-id: ${{ secrets.OCTAVIA_BOT_APP_ID }}
private-key: ${{ secrets.OCTAVIA_BOT_PRIVATE_KEY }}

- name: Run Poe Command
uses: aaronsteers/poe-command-processor@04330aa7047b6b182ff280a962cbbcd99d6eb683 # v1.3.0
with:
command: "gh-ci-fix"
github-token: ${{ steps.get-app-token.outputs.token }}
pr: ${{ github.event.inputs.pr }}
comment-id: ${{ github.event.inputs.comment-id }}
1 change: 1 addition & 0 deletions .github/workflows/slash_command_dispatch.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ jobs:
fix-pr
test-pr
poetry-lock
gh-ci-fix
static-args: |
pr=${{ github.event.issue.number }}
comment-id=${{ github.event.comment.id }}
Expand Down
51 changes: 51 additions & 0 deletions .github/workflows/validate-pinned-actions.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
name: Validate Pinned Actions

on:
pull_request:
paths:
- '.github/workflows/**'
- '**/action.yml'
- '**/action.yaml'

permissions:
contents: read
pull-requests: write

jobs:
validate-pinned-actions:
name: Validate Actions are SHA-pinned
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

- name: Set up Python
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: '3.10'

- name: Set up Poetry
uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9
with:
poetry-version: "2.2.0"

- name: Install dependencies
run: poetry install

- name: Install pinact CLI
run: |
go install github.com/suzuki-shunsuke/pinact/cmd/pinact@latest
- name: Validate all actions are pinned
run: |
if ! poetry run poe gh-ci-check; then
echo "❌ Some GitHub Actions are not pinned to SHA hashes!"
echo ""
echo "To fix this, use the slash command '/gh-ci-fix' on this PR."
echo ""
echo "Or run locally:"
echo " poetry run poe gh-ci-fix"
exit 1
else
echo "✅ All GitHub Actions are properly pinned to SHA hashes."
fi
15 changes: 15 additions & 0 deletions docs/CONTRIBUTING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,21 @@ This repo uses a policy of SHA-pinning GitHub Actions, for hardened security.
To pin your GitHub actions, you can use the [pinact](https://github.com/suzuki-shunsuke/pinact) tool:

```bash
# Install pinact CLI tool
go install github.com/suzuki-shunsuke/pinact/cmd/pinact@latest

# Pin all GitHub Actions in workflow files
pinact run

# Pin actions in a specific file
pinact run .github/workflows/python_lint.yml

# Check if actions are pinned (dry-run)
pinact run --dry-run
```

You can also use the `/gh-ci-fix` slash command on pull requests to automatically pin actions.

# Convert from from fixed version to sha
# Example: actions/checkout@v4 -> actions/checkout@08e... # v4.3.0
pinact run [optional_file]
Expand Down
5 changes: 5 additions & 0 deletions pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,11 @@ fix = { shell = "ruff format . && ruff check --fix -s || ruff format ." }
fix-unsafe = { shell = "ruff format . && ruff check --fix --unsafe-fixes . && ruff format ." }
fix-and-check = { shell = "poe fix && poe check" }

# GitHub Actions CI tasks
install = { shell = "poetry install" }
gh-ci-check = { shell = "$HOME/go/bin/pinact run --check", help = "Check if GitHub Actions are pinned to SHA hashes" }
gh-ci-fix = { shell = "$HOME/go/bin/pinact run", help = "Pin GitHub Actions to their SHA hashes" }

Comment on lines +202 to +206
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Hard-coded $HOME path breaks on Windows runners
These Poe tasks invoke $HOME/go/bin/pinact, but on Windows cmd won’t expand $HOME, so poe gh-ci-check/gh-ci-fix will fail for contributors on that platform. Could we switch to a PATH-based invocation (e.g., cmd = "pinact run --check" / cmd = "pinact run") so it works cross-platform, wdyt?

🤖 Prompt for AI Agents 
In pyproject.toml around lines 202-206 the poe tasks hard-code
$HOME/go/bin/pinact which won’t expand on Windows; replace the shell invocations
that use the $HOME path with PATH-based invocations (e.g., use cmd = "pinact run
--check" for gh-ci-check and cmd = "pinact run" for gh-ci-fix, or set shell to
simply "pinact run..." without $HOME) so the tasks run cross-platform; ensure
the task definitions no longer reference $HOME and rely on pinact being
available on PATH.

# MCP Server Tasks
mcp-serve-local = { cmd = "poetry run airbyte-mcp", help = "Start the MCP server with STDIO transport" }
mcp-serve-http = { cmd = "poetry run python -c \"from airbyte.mcp.server import app; app.run(transport='http', host='127.0.0.1', port=8000)\"", help = "Start the MCP server with HTTP transport" }
Expand Down
Loading