Metadata-Version: 2.1
Name: octopin
Version: 0.1.4
Summary: Pin used actions and analyse transitive dependencies of GitHub workflows / actions
Author-Email: Thomas Neidhart <thomas.neidhart@eclipse-foundation.org>
License: EPL-2.0
Classifier: Intended Audience :: Developers
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python
Classifier: Topic :: Security
Classifier: Topic :: Software Development
Classifier: Typing :: Typed
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Developers
Classifier: Programming Language :: Python :: 3 :: Only
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: License :: OSI Approved :: Eclipse Public License 2.0 (EPL-2.0)
Project-URL: Homepage, https://github.com/eclipse-csi/octopin
Project-URL: Documentation, https://octopin.readthedocs.org
Project-URL: Repository, https://github.com/eclipse-csi/octopin
Project-URL: Issues, https://github.com/eclipse-csi/octopin/issues
Project-URL: Changelog, https://octopin.readthedocs.org/release-notes/
Requires-Python: >=3.11
Requires-Dist: typer>=0.15
Requires-Dist: PyYAML>=6.0
Requires-Dist: semver>=3.0
Requires-Dist: aiohttp>=3.9
Requires-Dist: aiohttp-client-cache>=0.10
Requires-Dist: aiosqlite>=0.19
Requires-Dist: platformdirs>=4
Description-Content-Type: text/markdown

<h1 align="center">

<a href="https://octopin.readthedocs.org">
  <img style="width: 150px;" src="https://raw.githubusercontent.com/eclipse-csi/.github/refs/heads/main/artwork/eclipse-csi/logo-emblem/500x500%20Transparent.png">
</a>

</h1>

<p align="center">
  <a href="https://pypi.org/project/octopin"><img alt="PyPI" src="https://img.shields.io/pypi/v/octopin.svg?color=blue&maxAge=600" /></a>
  <a href="https://pypi.org/project/octopin"><img alt="PyPI - Python Versions" src="https://img.shields.io/pypi/pyversions/octopin.svg?maxAge=600" /></a>
  <a href="https://github.com/eclipse-csi/octopin/blob/main/LICENSE"><img alt="EPLv2 License" src="https://img.shields.io/github/license/eclipse-csi/octopin" /></a>
  <a href="https://github.com/eclipse-csi/octopin/actions/workflows/build.yml?query=branch%3Amain"><img alt="Build Status on GitHub" src="https://github.com/eclipse-csi/octopin/actions/workflows/build.yml/badge.svg?branch:main&workflow:Build" /></a>
  <a href="https://octopin.readthedocs.io"><img alt="Documentation Status" src="https://readthedocs.org/projects/octopin/badge/?version=latest" /></a><br>
  <a href="https://scorecard.dev/viewer/?uri=github.com/eclipse-csi/octopin"><img alt="OpenSSF Scorecard" src="https://api.securityscorecards.dev/projects/github.com/eclipse-csi/octopin/badge" /></a>
  <a href="https://slsa.dev"><img alt="OpenSSF SLSA Level 3" src="https://slsa.dev/images/gh-badge-level3.svg" /></a>
</p>

# Eclipse Octopin

Analyses and pins GitHub actions in your workflows.

This tool pins your GitHub Action versions to use the SHA-1 hash
instead of tag to improve security as Git tags are not immutable.

Converts `uses: aws-actions/configure-aws-credentials@v1.7.0` to
`uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0`

## Skipping actions

To skip a specific action from being pinned, you can add a comment `pinning: ignore`.

Example using the generic SLSA generator action which *MUST* be [referenced](https://github.com/slsa-framework/slsa-github-generator?tab=readme-ov-file#referencing-slsa-builders-and-generators) by a tag rather than a commit hash:

```yaml
provenance:
    needs: ['prepare', 'build-dist']
    permissions:
      actions: read
      contents: write
      id-token: write # Needed to access the workflow's OIDC identity.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 # pinning: ignore
    with:
      base64-subjects: "${{ needs.build-dist.outputs.hashes }}"
      upload-assets: true
```

## pre-commit hook

This repo provides a pre-commit hook to run `octopin pin`. Add the following
snippet to your `.pre-commit-config.yaml` to use.

```yaml
- repo: https://github.com/eclipse-csi/octopin
  rev: main  # Recommended to pin to a tagged released
  hooks:
  - id: pin-versions
```
