ghat

Ghat is a tool (GHAT) for updating dependencies in a GHA - GitHub Action. It replaces insecure mutable tags with immutable commit hashes as well as using the latest released version:

   ## sets up go based on the version
      - name: Install Go
        uses: actions/setup-go@v4.0.1
        with:
          go-version: ${{ matrix.go-version }}

      ## checks out our code locally, so we can work with the files
      - name: Checkout code
        uses: actions/checkout@v3.5.3

Becomes

      ## sets up go based on the version
      - name: Install Go
        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
        with:
          go-version: ${{ matrix.go-version }}

      ## checks out our code locally, so we can work with the files
      - name: Checkout code
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

Ghat will use your GitHub credentials, if available, from your environment using the environmental variables GITHUB_TOKEN or GITHUB_API, but it can also drop back to anonymous access, the drawback is that this is severely rate limited by gitHub.

Table of Contents

• ghat
  • Table of Contents
  • Install
    • MacOS
    • Windows
    • Docker
  • Usage
    • directory
    • file
    • stable
    • pre-commit

Install

Download the latest binary here:

https://github.com/JamesWoolfenden/ghat/releases

Install from code:

• Clone repo
• Run go install

Install remotely:

go install  github.com/jameswoolfenden/ghat@latest

MacOS

brew tap jameswoolfenden/homebrew-tap
brew install jameswoolfenden/tap/ghat

Windows

I'm now using Scoop to distribute releases, it's much quicker to update and easier to manage than previous methods, you can install scoop from https://scoop.sh/.

Add my scoop bucket:

scoop bucket add iac https://github.com/JamesWoolfenden/scoop.git

Then you can install a tool:

scoop install ghat

Docker

docker pull jameswoolfenden/ghat
docker run --tty --volume /local/path/to/repo:/repo jameswoolfenden/ghat swot -d /repo

https://hub.docker.com/repository/docker/jameswoolfenden/ghat

Usage

To authenticate the GitHub Api you should set up your GitHub Personal Access Token as the environment variable GITHUB_API or GITHUB_TOKEN, it will fall back to using anonymous if you don't but RATE LIMITS.

Directory scan

This will look for the .github/workflow folder and update all the files it finds there, and display a diff of the changes made to each file:

$ghat swot -d .

File scan

$ghat swot -f .\.github\workflows\ci.yml

Stable releases

If you're concerned that the very latest release might be too fresh, and would rather have the latest from 2 weeks ago? I got you covered:

$ghat swot -d . --stable 14

Help

 ghat swot -h
NAME:
   ghat swot - updates GHA in a directory

USAGE:
   ghat swot

OPTIONS:
   authentication

   --token value, -t value  Github PAT token [$GITHUB_TOKEN, $GITHUB_API]

   delay

   --stable value, -s value  days to wait for stabilisation of release (default: 0)

   files

   --directory value, -d value  Destination to update GHAs (default: ".")
   --file value, -f value       GHA file to parse

pre-commit

I've added a number of pre-commit hooks to this repo that will update your build configs, update .pre-commit-config.yaml

  - repo: https://github.com/JamesWoolfenden/ghat/actions
    rev: v0.0.10
    hooks:
      - id: ghat-go
        name: ghat
        description: upgrade action dependencies
        language: golang
        entry: ghat swot -d .
        pass_filenames: false
        always_run: true
        types: [ yaml ]

Building

go build

or

Make build

Extending

Log an issue, a pr or an email to jim.wolf @ duck.com.