1
0
Fork 0
mirror of https://github.com/imjasonh/pin-and-bump synced 2026-07-07 00:22:35 +00:00
No description
Find a file
Jason Hall d3c615f117 update readme
Signed-off-by: Jason Hall <jason@chainguard.dev>
2025-12-03 22:45:48 -05:00
.github/workflows initial commit 2025-12-03 22:41:43 -05:00
src initial commit 2025-12-03 22:41:43 -05:00
.gitignore initial commit 2025-12-03 22:41:43 -05:00
Cargo.lock initial commit 2025-12-03 22:41:43 -05:00
Cargo.toml initial commit 2025-12-03 22:41:43 -05:00
LICENSE initial commit 2025-12-03 22:41:43 -05:00
README.md update readme 2025-12-03 22:45:48 -05:00

📌👊 pin-and-bump

Pin GitHub Actions to commit SHAs, and optionally update to latest versions.

Installation

cargo install --path .

Usage

# Pin current versions
pin-and-bump

# Update to latest versions and pin
pin-and-bump --update

# Specify repository path
pin-and-bump -p /path/to/repo

Example

Before:

- uses: actions/checkout@v4
- uses: actions/setup-go@v5

After (pin):

- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
- uses: actions/setup-go@0a12ed9d6a9990640e88f7f159f6c4bc9925b9b2 # v5

After (pin + update with --update):

- uses: actions/checkout@1234567890abcdef1234567890abcdef12345678 # v5
- uses: actions/setup-go@abcdef1234567890abcdef1234567890abcdef12 # v6

Features

  • Resolves tags to commit SHAs using GitHub API
  • Preserves formatting, indentation, and comments
  • --update flag fetches latest releases and updates versions

TODO

  • cut a release; first release can't use trusted publishing 😭
  • when --update is set, also update already-pinned deps