arosenkranz/pin-actions
plugins/git-and-pr/skills/pin-actions/SKILL.md
Pin GitHub Actions from mutable tags (e.g., @v4) to immutable commit SHAs to prevent supply chain attacks. Use when editing .github/workflows files, hardening CI security, looking up action SHAs, pinning actions to specific commits, or replacing "uses: owner/repo@tag" references with SHA-pinned equivalents.
$ install --global
skillsauthnpx skillsauth add arosenkranz/claude-code-config pin-actionsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 23, 2026, 5:19 AM200.0s2 files scanned
SKILL.md
- name:
- pin-actions
- description:
- >
- "uses:
- owner/repo@tag" references with SHA-pinned equivalents.
pin-actions
GitHub Actions referenced by mutable tags (@v4) are vulnerable to supply chain attacks —
a compromised maintainer can silently move the tag to malicious code. Pinning to a commit
SHA makes the reference immutable and tamper-evident.
Script Location
~/.claude/skills/pin-actions/scripts/resolve_action_sha.sh
Interface: ./resolve_action_sha.sh <owner/repo[/path]> <tag> → prints 40-char SHA to stdout
Workflow 1: Scan Mode (pin all unpinned actions in a workflow file)
- Read the workflow file to identify all
uses:lines - Filter to unpinned actions — skip:
- Already-pinned:
uses: owner/repo@<40-char hex SHA> - Docker-based:
uses: docker://... - Local actions:
uses: ./path/to/action
- Already-pinned:
- For each unpinned action, extract
owner/repo[/subpath]andref:- Pattern:
uses: {owner}/{repo}@{ref} - Pattern:
uses: {owner}/{repo}/{path}@{ref}(sub-path actions)
- Pattern:
- Resolve each SHA using the script:
SHA=$(~/.claude/skills/pin-actions/scripts/resolve_action_sha.sh "owner/repo" "v4") - Replace
owner/repo@v4→owner/repo@<SHA> # v4- Always preserve the original tag as a trailing comment for human readability
Example transformation
Before:
- uses: actions/checkout@v4
- uses: pnpm/action-setup@v4
- uses: docker/build-push-action/push@v6
After:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- uses: pnpm/action-setup@a3252b7a1b87b11f31ef2a5405c6fe64a35b06b8 # v4
- uses: docker/build-push-action/push@263435318d21b8e681c14492fe198d362a7d2c83 # v6
Workflow 2: Lookup Mode (resolve a single action on demand)
When asked to look up the SHA for a specific action:
~/.claude/skills/pin-actions/scripts/resolve_action_sha.sh "actions/checkout" "v4"
# → 11bd71901bbe5b1630ceea73d27597364c9af683
Report the SHA and the pinned form:
actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
Tag Types
The script handles both GitHub tag types transparently:
- Lightweight tags: point directly to a commit (most common for action releases)
- Annotated tags: contain metadata and point to a tag object, which in turn points to a commit — the script dereferences this automatically
Authentication
Using GITHUB_TOKEN avoids rate limits:
- Unauthenticated: 60 requests/hour
- Authenticated: 5,000 requests/hour
export GITHUB_TOKEN="ghp_your_token_here"
The script checks for GITHUB_TOKEN automatically and adds the Authorization header when present.
Error Handling
If the script exits with code 1, the tag likely doesn't exist for that repo. Verify:
- Correct owner/repo spelling
- Tag exists:
gh api repos/{owner}/{repo}/git/ref/tags/{tag} - The repo has releases (not all action repos use tags)
- Rate limit not exceeded (set
GITHUB_TOKENif unauthenticated)
Related Skills
arosenkranz/spec-and-plan
tools
VerifiedTrustedCommunity
Lightweight orchestrator for spec-before-plan workflow. Use when starting a feature with ambiguous requirements. Walks SPEC.md → PLAN.md → execute, delegating to /superpowers:writing-plans and /superpowers:executing-plans. Invoke when asked to "spec this out", "spec-first", "spec and plan for X", or when feature requirements are vague.
1SKILL.mdUpdated May 12, 2026
arosenkranz/problem-statement
tools
VerifiedTrustedCommunity
Problem Statement Co-Authoring Skill
1SKILL.mdUpdated Apr 23, 2026
arosenkranz/maintaining-brag-docs
development
VerifiedTrustedCommunity
Structure and maintain professional brag documents with clear templates for accomplishments, projects, and growth tracking. Use when documenting achievements, creating brag document entries, formatting accomplishments, or tracking career progress.
1SKILL.mdUpdated Apr 23, 2026
arosenkranz/linting-technical-writing
development
VerifiedTrustedCommunity
Analyze technical documentation for clarity, conciseness, and effectiveness using Google Technical Writing principles. Use when reviewing documentation, checking writing quality, improving docs, or providing writing feedback.
1SKILL.mdUpdated Apr 23, 2026