Track and enforce GitHub Actions SHA pinning compliance across a GitHub organization.
Other orgs can use this directly — no fork needed:
name: Check SHA Pinning Compliance
on:
schedule:
- cron: "0 6 * * *"
workflow_dispatch:
jobs:
check:
runs-on: ubuntu-latest
steps:
- name: Check SHA pinning compliance
uses: esphome/workflow-shas@main
env:
GH_TOKEN: ${{ secrets.YOUR_TOKEN }}
with:
command: check
org: your-org
tracking-repo: your-tracking-repo| Input | Required | Description |
|---|---|---|
command |
Yes | Subcommand: check, pin, or enforce |
org |
Yes | GitHub organization to operate on |
tracking-repo |
For check |
Repo name for the tracking issue |
repos |
No | Comma-separated list of specific repos to process |
dry-run |
No | Set to "true" to run without mutations |
check — Scan all repos, update the tracking issue, create/close sub-issues:
- uses: esphome/workflow-shas@main
with:
command: check
org: your-org
tracking-repo: workflow-shasenforce — Enable sha_pinning_required on repos where it's safe:
- uses: esphome/workflow-shas@main
with:
command: enforce
org: your-orgpin — (CLI only) Clone repos, resolve action refs to SHAs, open PRs. Best run locally since it needs a workspace for cloning.
The GH_TOKEN environment variable must be set to a token with:
issues: writeon all org repos (for creating/closing sub-issues)actions: writeon all org repos (forenforcecommand)contents: readon all org repos (for scanning workflows)
A GitHub App installed on the org is recommended.
uv run workflow-shas --org your-org check --tracking-repo workflow-shas
uv run workflow-shas --org your-org enforce --dry-run
uv run workflow-shas --org your-org pin --repo some-repo --dry-runReferencing actions by tag (e.g., actions/checkout@v4) is convenient but carries a supply-chain risk: tags are mutable and can be force-pushed to point at arbitrary commits. Pinning to a full 40-character commit SHA makes the reference immutable.