chore(deps): update dependency suzuki-shunsuke/pinact to v3

[renovate]

This PR contains the following updates:

Package	Update	Change
suzuki-shunsuke/pinact	major	v1.6.0 -> v3.0.3

---

Release Notes

suzuki-shunsuke/pinact (suzuki-shunsuke/pinact)

v3.0.3

Compare Source

Pull Requests | Issues | suzuki-shunsuke/pinact@v3.0.2...v3.0.3

Changelog

• 307194e chore(deps): update dependency suzuki-shunsuke/cmdx to v2.0.1 (#​891)
• 4b53515 ci: use rgo (#​890)
• 2bd5498 chore(deps): update dependency aquaproj/aqua to v2.48.1 (#​888)
• 08f34b1 chore(deps): update dependency suzuki-shunsuke/pinact to v3.0.2 (#​887)

v3.0.2

Compare Source

Pull Requests | Issues | suzuki-shunsuke/pinact@v3.0.1...v3.0.2

Features

#​884 Add version's -json option

Fixes

#​886 Fix Go module path github.com/suzuki-shunsuke/pinact/v2 => github.com/suzuki-shunsuke/pinact/v3

Others

#​875 Update urfave/cli/v2 to v3

v3.0.1

Compare Source

Pull Requests | Issues | suzuki-shunsuke/pinact@v3.0.0...v3.0.1

Fixes

#​865 Fix typo and add links to documents to error logs

v3.0.0

Compare Source

Pull Requests | Issues | suzuki-shunsuke/pinact@v2.2.1...v3.0.0

⚠ Breaking Changes

[!NOTE]
If you don't use pinact configuration file .pinact.yaml, you don't need to do anything.

#​855 Change the default schema version to 3 and abandon the version 2

• The format of .files[].pattern is changed from regular expression to glob pattern
• .ignore_actions[].ref gets required
• .version gets required
• Regular expressions must match exactly

How To Migrate

1. Update pinact to v2.2.0 or later
2. Run pinact migrate command to fix pinact configuration file

pinact migrate

3. Convert regular expressions to glob patterns in .files[].pattern
4. Fix .ignore_actions[].name and .ignore_actions[].ref

Regular expressions must match exactly.

For instance, name: actions/ doesn't match actions/checkout.
You need to fix this to actions/.* if you want to ignore all actions under actions organization.

Why are these breaking changes necessary?

The format of .files[].pattern is changed from regular expression to glob pattern

• To simplify the implementation
  • To fix bugs
• In most cases, glob is sufficient

.ignore_actions[].ref gets required

To improve the security.
You should restrict ignored action versions as much as possible.

.version gets required

To migrate configuration automatically.

Regular expressions must match exactly

To improve the security.
Partial match can cause potential security issues.
For instance, ref: main matches malicious-main with pinact v2.1.0.
Probably this is undesirable. And it's hard to find this issue.
As of pinact v3, ref: main matches with only main.

Note

• https://github.com/suzuki-shunsuke/pinact/pull/840
• https://github.com/suzuki-shunsuke/pinact/pull/845
• https://github.com/suzuki-shunsuke/pinact/pull/851

v2.2.1

Compare Source

Pull Requests | Issues | suzuki-shunsuke/pinact@v2.2.0...v2.2.1

🐛 Bug Fixes

#​860 Fix a bug tha pinact run's --check option doesn't work

v2.2.0

Compare Source

Pull Requests | Issues | suzuki-shunsuke/pinact@v2.1.0...v2.2.0

Features

#​851 Add migrate command and support the configuration file schema

We're going to release pinact v3.
pinact v3 includes breaking changes of pinact configuration file.
To allow you to migrate to v3 easily, this relase introduced a concept Configuration schema version and pinact migrate command.
You can migrate configuration files by pinact migrate command, though more manual modification may be necessary.

pinact migrate

The default schema version is 2, and the latest schema version is 3.
The version 2 is compatible with previous versions.
pinact v3 will require the version schema definition and abandon the support of version 2.

For more details, please see the issue. https://github.com/suzuki-shunsuke/pinact/issues/852

🐛 Bug Fixes

#​853 Fix Go Module Path

go install github.com/suzuki-shunsuke/pinact/v2/cmd/pinact@latest

v2.1.0

Compare Source

Pull Requests | Issues | suzuki-shunsuke/pinact@v2.0.4...v2.1.0

Features

#​840 Add ignore_actions[].ref in config @​yuya-takeyama

You can now restrict versions of ignored action using a regular expression.

e.g.

ignore_actions:
  - name: ^suzuki-shunsuke/
    ref: ^main$ # optional

ref is optional.
If you omit ref, all versions are ignored. This can be dangerous in certain scenarios:

1. For organization-internal actions, ignoring without ref restriction means trusting that ALL branches of the repository are secure
2. If an attacker gains access to push to any branch in the repository (even non-protected branches), they could create a malicious branch with the same action name
3. Even with organization-internal repositories, compromised credentials of a contributor could lead to backdoors in non-protected branches

For example, if you have an internal action like this:

- uses: a-trusted-org/a-trusted-repo@main

And you ignore it without ref restriction:

ignore_actions:
  - name: a-trusted-org/a-trusted-repo

Then any branch in the repository could be used, potentially containing malicious code.
However, if you restrict it to main:

ignore_actions:
  - name: a-trusted-org/a-trusted-repo
    ref: ^main$ # Trusted branch

You ensure that only the main branch (which typically has proper review processes and branch protection rules) is trusted.

v2.0.4

Compare Source

Pull Requests | Issues | suzuki-shunsuke/pinact@v2.0.3...v2.0.4

Fixes

#​834 Output warning instead of returning error when a long tag isn't found

v2.0.3

Compare Source

Pull Requests | Issues | suzuki-shunsuke/pinact@v2.0.2...v2.0.3

🐛 Bug Fixes

#​833 Configuration file's files.pattern doesn't work on Windows @​mika-f

v2.0.2

Compare Source

Pull Requests | Issues | suzuki-shunsuke/pinact@v2.0.0...v2.0.2

Others

#​829 #​830 Release pinact to suzuki-shunsuke/scoop-bucket

You can now install pinact using Scoop.

scoop bucket add suzuki-shunsuke https://github.com/suzuki-shunsuke/scoop-bucket
scoop install pinact

https://github.com/suzuki-shunsuke/scoop-bucket/blob/main/pinact.json

v2.0.1

Compare Source

Pull Requests | Issues | suzuki-shunsuke/pinact@v2.0.0...v2.0.1

⚠️ Release failed.

v2.0.0

Compare Source

Pull Requests | Issues | suzuki-shunsuke/pinact@v1.6.0...v2.0.0

⚠️ Breaking Changes

#​823 Make pinact run fail if it can't pin some actions

This release changes the behaviour of pinact run when it can't pin some actions.

Previously, pinact succeeded even if it couldn't pin some actions.
For instance, pinact can't pin action whose version is a branch such as main and master.

uses: actions/checkout@main

As of this release, pinact run fails if it can't pin some actions.
Unlike --check option, pinact run fixes files even if it can't pin some actions.

$ pinact run testdata/zoo.yaml
ERRO[0000] parse a line                                  error="action can't be pinned" pinact_version= program=pinact workflow_file=testdata/zoo.yaml

$ echo $?
1

Why is this breaking change necessary?

The problem of pinact v1 is that you can miss actions which specify default branches or feature branches.

uses: actions/checkout@main

To ensure all actions are pinned, this is undesirable.
If you can't pin some actions, you should add them to ignore_actions in .pinact.yaml explicitly.
This improves the security of your workflows.

How To Migrate

If you can't pin some actions, you should add them to ignore_actions in .pinact.yaml explicitly.

ignore_actions:

### names are regular expression
  - name: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml
  - name: "^peaceiris/"

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.