Hacker News new | ask | show | jobs
by ebfe1 410 days ago
After tj-actions hack, I put together a little tool to go through all of github actions in repository to replace them with commit hash of the version

https://github.com/santrancisco/pmw

It has a few "features" which allowed me to go through a repository quickly:

- It prompts user and recommend the hash, it also provides user the url to the current tag/action to double check the hash value matches and review the code if needed

- Once you accept a change, it will keep that in a json file so future exact vesion of the action will be pinned as well and won't be reprompted.

- It let you also ignore version tag for github actions coming from well-known, reputational organisation (like "actions" belong to github) - as you may want to keep updating them so you receive hotfix if something not backward compatible or security fixes.

This way i have full control of what to pin and what not and then this config file is stored in .github folder so i can go back, rerun it again and repin everything.
5 comments
loginatnine 410 days ago
This is good, just bear in mind that if you put the hash of an external composite action and that action pulls on another one without a hash, you're still vulnerable on that transitive dependency.
link
ebfe1 409 days ago
oh damn - that is a great point! thanks matey!
link
newman314 410 days ago
I don't know if your tool already does this but it would be helpful if there is an option to output the version as a comment of the form

action@commit # semantic version

Makes it easy to quickly determine what version the hash corresponds to. Thanks.

link
ebfe1 409 days ago
Yeap - that is exactly what it does ;)

Example:

uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 #v1.16.0

And for anything that previously had @master, it becomes the following with the hash on the day it was pinned with "master-{date}" as comment:

uses: ravsamhq/notify-slack-action@b69ef6dd56ba780991d8d48b61d94682c5b92d45 #master-2025-04-04

link
fartbagxp 410 days ago
I've been using https://github.com/stacklok/frizbee to lock down to commit hash. I wonder how this tool compares to that.
link
remram 409 days ago
Having control is good, but reading all the code yourself seems unrealistic. We need something like crev or cargo-vet.
link
ebfe1 409 days ago
Yea hence it prompts for you to check the first time but once you verify the hash for particular version of action, it would automatically apply the hash to that same version of action everywhere. Also you can reuse the same config for all other repos so it is only tedious the first time but after that it is pretty quick to apply to the rest of the org :)

The tool is indeed meant for semi-auto flow to ensure human eye looked at the action being used.

link
tuananh 410 days ago
renovate can be configured to do that too :)
link
jquaint 410 days ago
Do you have an example config?

Trying to get the same behavior with renovate :)

link
tuananh 409 days ago
here's one that i use https://github.com/tuananh/hyper-mcp/blob/main/.github/renov...
link