v1.1.2

Pull Requests | Issues | v1.1.1...v1.1.2

Features

#672 init: Add a code comment for YAML Language Server to generated config

# yaml-language-server: $schema=https://raw.githubusercontent.com/suzuki-shunsuke/pinact/refs/heads/main/json-schema/pinact.json

Others

#672 Generate JSON Schema for pinact's configuration files

• https://github.com/suzuki-shunsuke/pinact/blob/main/json-schema/pinact.json
• https://raw.githubusercontent.com/suzuki-shunsuke/pinact/refs/heads/main/json-schema/pinact.json

v1.1.1

Pull Requests | Issues | v1.1.0...v1.1.1

Bug Fixes

This release fixed bugs of --update option:

#669 Fix bugs of --update option:

• Get a list of available versions from GitHub Releases, not GitHub tags
• Fix a bug that pinact can't update actions if it fails to parse any tag as a semver

#666 Print processing action name in warning logs @kachick

v1.1.0

Pull Requests | Issues | v1.0.0...v1.1.0

Features

#663 Support updating actions

Added a command line option -update (-u) to update actions

pinact run -u

v1.1.0-0

v1.0.0...v1.1.0-0

v1.0.0

Pull Requests | Issues | v0.2.1...v1.0.0

🎉 v1 is out

This is a major update, but there is no significant changes.

Others

⚠️ #550 Change the format of release assets for Windows to zip
Update Go to v1.23.2
Update dependencies
#541 Create GitHub Artifact Attestations

https://github.com/suzuki-shunsuke/pinact/attestations

You can verify downloaded assets from GitHub Releases using GitHub CLI.

gh release download -R suzuki-shunsuke/pinact v1.0.0 -p pinact_darwin_arm64.tar.gz
gh attestation verify pinact_darwin_arm64.tar.gz \
  -R suzuki-shunsuke/pinact \
  --signer-workflow suzuki-shunsuke/go-release-workflow/.github/workflows/release.yaml

v1.0.0-2

v0.2.1...v1.0.0-2

v1.0.0-1

v0.2.1...v1.0.0-1

v0.2.1

Pull Requests | Issues | v0.2.0...v0.2.1

Bug Fixes

Fixed several bugs that actions aren't pinned

#468 Fix a bug that actions aren't pinned if uses' key or value is surrounded with single quotes or double quotes

e.g.

- "uses": "actions/[email protected]"

#471 Fix a bug that short versions aren't converted to long versions if tag= is used

e.g.

- uses: actions/checkout@83b7061638ee4956cf7545a6f7efe594e5ad0247 # tag=v3

#473 Fix a bug that actions aren't pinned if multiple spaces are used before or after #

e.g.

- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  #  v3

v0.2.1-1

v0.2.0...v0.2.1-1

Bug Fixes

#468 Fix a bug that actions aren't pinned if uses' key or value is surrounded with single quotes or double quotes

e.g.

- "uses": "actions/[email protected]"

#471 Fix a bug that short versions aren't converted to long versions if tag= is used

e.g.

- uses: actions/checkout@83b7061638ee4956cf7545a6f7efe594e5ad0247 # tag=v3

#473 Fix a bug that actions aren't pinned if multiple spaces are used before or after #

e.g.

- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  #  v3

v0.2.0

Pull Requests | Issues | v0.1.3...v0.2.0

⚠️ Breaking Changes

#439 Ignore action versions other than semver (x.y.z) and short version (v1, v2, ...)

pinact ignores action versions such as main, master, foo/v1.0.0.

Features

#439 Support verifying version annotations

https://github.com/suzuki-shunsuke/pinact/blob/main/docs/codes/001.md

Please see the following code.

- uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v3.5.1

You would assume the version of the action is v3.5.1 because the version annotation is "v3.5.1".
But the actual version is v2.7.0 because "ee0669bd1cc54295c223e0bb666b733df41de1c5" is the commit hash of v2.7.0.
Please check releases.

• https://github.com/actions/checkout/releases/tag/v3.5.1
• https://github.com/actions/checkout/releases/tag/v2.7.0

This indicates version annotations aren't necessarily correct.
Especially, attackers can specify a full commit SHA including a malicious code while setting a safe tag to the version annotation.
If a pull request includes changes of GitHub Actions, you should verify version annotations.

pinact v0.1.3 or newer can verify version annotations using pinact run's --verify option.
This verification works only if the version annotation is semver and the version is full commit hash like the above example.
This option gets a full commit hash from a version annotation by GitHub API and compares it with the version.

e.g.

$ pinact run --verify testdata/bar.yaml
ERRO[0000] parse a line                                  action=actions/checkout action_version=ee0669bd1cc54295c223e0bb666b733df41de1c5 commit_hash_of_version_annotation=83b7061638ee4956cf7545a6f7efe594e5ad0247 error="verify the version annotation: action_version must be equal to commit_hash_of_version_annotation" help_docs="https://github.com/suzuki-shunsuke/pinact/blob/main/docs/codes/001.md" pinact_version=0.2.0 program=pinact version_annotation=v3.5.1 workflow_file=testdata/bar.yaml

Note that --verify option calls GitHub API to verify version annotations, which may cause API rate limiting.

Others

#435 #436 #437 Refactoring