Secure your GitHub Actions with Pinner

Automatically pin mutable tags to immutable SHA-1 hashes to prevent supply chain attacks.

The Pinner Reaction Etymology

In organic chemistry, the Pinner reaction involves the acid-catalyzed conversion of a reactive nitrile into a highly stable salt.

"Just as the reaction transforms a volatile compound into a stable, fixed salt, this CLI transforms floating tags into secure, immutable commit SHAs."

Terminal

$ pinner pin

Searching for workflows in .github/workflows/...

actions/checkout@v4 -> actions/checkout@8f4b7f84... # v4

dtolnay/rust-toolchain@master -> dtolnay/rust-toolchain@e97e2d8c... # master

Successfully pinned 12 actions across 3 files!

$ pinner verify

Verifying action pinning...

All actions are correctly pinned! ✅

High Performance

Built with Rust and `tree-sitter` for maximum speed and precision. Scan hundreds of actions in milliseconds.

Secure by Design

Protects your CI/CD against tag-moving attacks. Native support for `verify` mode in your CI pipelines.

Enterprise Ready

Configurable via `.pinner.toml`. Supports GitHub Enterprise with custom API URLs and tokens.

Install Pinner

curl -sSL https://raw.githubusercontent.com/ffalcinelli/pinner/main/install.sh | sh
Copied to clipboard!

One-line installation for instant workflow security.