Versions:
pinact 3.9.0, authored by Shunsuke Suzuki, is a command-line utility designed to automate the maintenance of GitHub Workflow and Composite action files by locking their referenced Actions and Reusable Workflows to immutable commit SHAs and, when desired, upgrading them to newer releases. The tool parses YAML files located in .github/workflows and related directories, locates any external action or reusable workflow reference written in the form owner/repo@ref, replaces the floating tag with the corresponding long-lived SHA, and optionally inserts or updates the accompanying comment that records the human-readable version for quick visual verification. This pinning strategy eliminates the risk of unexpected behavior or supply-chain attacks that can occur when a third-party tag is silently moved, while still allowing maintainers to track semantic versions through the preserved annotation. In addition to locking versions, pinact can scan the same files for outdated references and apply the newest upstream tags in one atomic operation, ensuring that continuous-integration pipelines stay current without manual editing. Typical use cases include nightly audits across large monorepos, pull-request checks that enforce immutable SHAs before merge, and one-shot bulk updates after a security advisory. Because it operates solely on local YAML and interacts with the GitHub API only to resolve tag-to-SHA mappings, the utility fits seamlessly into existing CI/CD workflows and requires no elevated repository permissions. The single-version release history currently stands at 3.9.0, indicating rapid initial development toward a stable feature set. pinact is available for free on get.nero.com, with downloads provided via trusted Windows package sources such as winget, always delivering the latest version and supporting batch installation of multiple applications.
Tags: