README
ΒΆ
GitHub Actions Workflow Checker
A security-focused tool that automatically updates GitHub Actions workflows to use pinned commit SHAs instead of floating tags, protecting against supply chain attacks while maintaining compatibility.
π Security Features
- Automatically updates GitHub Actions to use pinned commit SHAs
- Prevents supply chain attacks by ensuring verified action versions
- Maintains workflow compatibility through testing
- Creates automated pull requests with security improvements
- Includes version information alongside hash updates
β¨ Key Features
- Scans GitHub Actions workflow files (
.ymland.yaml) - Creates pull requests with detailed security improvements
- Supports both CLI and GitHub Actions workflow usage
- Handles semantic versioning and commit SHA references
- Runs in a secure Docker container with minimal permissions
- Provides detailed security reports
π Quick Start
GitHub Actions Workflow (Recommended)
Add this workflow to your repository:
name: Update GitHub Actions Dependencies
on:
schedule:
- cron: "0 0 * * 1" # Runs every Monday
workflow_dispatch: # Manual trigger option
jobs:
update-actions:
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps:
- uses: actions/checkout@v4
- name: Update GitHub Actions
uses: ThreatFlux/githubWorkFlowChecker@v1.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
owner: ${{ github.repository_owner }}
repo-name: ${{ github.event.repository.name }}
labels: "dependencies,security"
CLI Installation
Using Go
go install github.com/ThreatFlux/githubWorkFlowChecker/cmd/ghactions-updater@latest
Using Docker
docker pull ghcr.io/threatflux/ghactions-updater:latest
π Usage
CLI Options
ghactions-updater [options]
| Option | Description | Required | Default |
|---|---|---|---|
-token |
GitHub token with PR permissions | β | - |
-owner |
Repository owner | β | - |
-repo-name |
Repository name | β | - |
-repo |
Repository path | β | "." |
-version |
Print version information | β | - |
Environment Variables
GITHUB_TOKEN: Alternative to-tokenflagOWNER: Alternative to-ownerflagREPO_NAME: Alternative to-repo-nameflag
π οΈ Development
Prerequisites
- Go 1.24.0 or later
- Make
- Docker (optional)
- Git
Local Setup
- Clone the repository:
git clone https://github.com/ThreatFlux/githubWorkFlowChecker.git
cd githubWorkFlowChecker
- Install dependencies:
make install-tools
go mod download
Common Tasks
| Command | Description |
|---|---|
make build |
Build binary |
make test |
Run tests |
make lint |
Run linter |
make security |
Run security checks |
make docker-build |
Build Docker image |
make clean |
Clean up build artifacts |
π Documentation
- Security Policy - Security policy and reporting vulnerabilities
- Contributing Guidelines - Guidelines for contributing
- Code of Conduct - Community behavior guidelines
π Security
- All dependencies are regularly updated and scanned for vulnerabilities
- Docker images are signed and include SBOMs
- Actions are pinned to specific commit SHAs
- Minimal container permissions and secure defaults
Report security vulnerabilities via GitHub Security Advisories
π License
MIT License - see LICENSE file for details.
π€ Contributing
Contributions are welcome! Please read our Contributing Guidelines before submitting a pull request.
π¬ Support
- Open an issue
- Start a discussion
- Email: wyattroersma@gmail.com
β Acknowledgments
Thanks to all contributors and the GitHub Actions community for making this tool possible.
Directories
Click to show internal directories.
Click to hide internal directories.