Package 'pinsha'

Title: Pin 'GitHub' Actions to 'SHA'
Description: Harden your 'GitHub' workflow security by pinning your third-party actions to the appropriate 'SHA'.
Authors: Zhian N. Kamvar [aut, cre] (ORCID: <https://orcid.org/0000-0003-1458-7108>), Becky Sweger [ctb]
Maintainer: Zhian N. Kamvar <[email protected]>
License: MIT + file LICENSE
Version: 0.0.0.9000
Built: 2026-05-31 09:49:59 UTC
Source: https://github.com/zkamvar/pinsha

Help Index

Automatically pin all actions to their expected hashes in your GitHub workflows

Description

Automatically pin all actions to their expected hashes in your GitHub workflows

Usage

pin(
  workflows = ".github/workflows",
  include_official = FALSE,
  write = FALSE,
  verbose = TRUE
)

Arguments

workflows

the directory to your github workflows
include_official

when TRUE, official github action workflows will also be pinned. Defaults to FALSE, meaning that the official workflows will continue to use tags
write

When TRUE, the workflows will be overwritten. Defaults to FALSE
verbose

when TRUE (default), write out progress for each file. Set to FALSE to suppress all but error messages

Value

nothing. Used for its side-effect

Examples

tmp <- withr::local_tempdir()
workflows <- fs::path(tmp, ".github", "workflows")
fs::dir_copy(system.file("workflows", package = "pinsha"), workflows)
withr::with_dir(tmp, pin_find_actions(".github/workflows"))
withr::with_dir(tmp, pin(write = TRUE))
withr::with_dir(tmp, pin_find_actions(".github/workflows"))

Pin an individual action to its corresponding SHA

Description

Pin an individual action to its corresponding SHA

Usage

pin_action(action = "r-lib/actions/check-r-package@v2")

Arguments

action

the action written with github syntax that contains at least the github user, repo, and tag

Value

the same action with an SHA and a comment that indicates the tag the sha belongs to (this may be different than the tag if you use a floating tag)

Examples

# pin a specific release
pin_action("r-lib/actions/check-r-package@v2")
# pin the latest release
pin_action("docker/login-action")

Pin a third-party action in a workflow

Description

Pin a third-party action in a workflow

Usage

pin_action_workflow(
  action = "r-lib/actions/check-r-package@v2",
  replacement = NULL,
  workflow = ".github/workflows/R-CMD-check.yaml",
  write = FALSE
)

Arguments

action

the action written with github syntax that contains at least the github user, repo, and tag
replacement

(optional) the replacement for the particular action. If this is not provided (default), pin_action() will be used to find the replacement
workflow

the path to a github workflow file
write

if TRUE, the workflow file will be overwritten. Defaults to FALSE, which leaves the workflow file intact

Value

a character vector of the workflow file with the actions replaced.

Examples

pkgdown <- withr::local_tempdir()
fs::file_copy(system.file("workflows", "pkgdown.yaml", package = "pinsha"), pkgdown)
actions <- pin_find_actions(pkgdown)
actions
for (action in actions) pin_action_workflow(action, workflow = pkgdown, write = TRUE)
pin_find_actions(pkgdown)

Find GitHub actions used in a workflow file

Description

Find GitHub actions used in a workflow file

Usage

pin_find_actions(
  workflow = ".github/workflows/R-CMD-check.yaml",
  include_official = FALSE
)

Arguments

workflow

the path to a github workflow file
include_official

when TRUE, official actions (that have the organization name of ⁠actions/⁠) will be included in the results. Defaults to FALSE.

Value

a character vector of zero or more actions used in your workflows

Examples

workflows <- system.file("workflows", package = "pinsha")
pin_find_actions(workflows)
pkgdown <- system.file("workflows", "pkgdown.yaml", package = "pinsha")
pin_find_actions(pkgdown)