// the find
suzuki-shunsuke/pinact
pinact is a CLI to edit GitHub Workflow and Composite action files and pin versions of Actions and Reusable Workflows. pinact can also update their versions and verify version annotations.
pinact pins GitHub Actions references to their full SHA commit hash and keeps the human-readable version tag as a comment. It's for teams who want supply-chain security hardening without manually hunting down SHAs, and for CI pipelines that want to enforce that everything is pinned before merge.
The minimum release age cooldown is genuinely useful for supply-chain defense — blocking adoption of an action that was published 2 hours ago is a real attack vector most tools ignore. The diff-file mode for incremental adoption is a practical answer to the 'this will touch every workflow at once' objection. SARIF output with reviewdog integration means you can surface unpinned actions as PR annotations, not just a failing step. The offline `-no-api` check is fast and useful in airgapped or rate-limited CI environments.
No support for pinning actions in third-party reusable workflow `uses:` that live outside `.github/` — if you have a monorepo with workflows scattered across subdirectories beyond the depth limits in the default glob pattern, you'll miss some files silently. The `--branch-to-tag` regex applies globally, so if you have a branch named `main` in one action where you want pinning and another where you don't, you're stuck. The keyring integration is convenient but the fallback behavior (silently dropping to no-auth if `GITHUB_TOKEN` is set) is easy to misconfigure in CI. Token management via `pinact token set` is interactive-only by default; the stdin workaround feels bolted on.