docs: add some hash-pinning tool recommendations (#788)

Signed-off-by: William Woodruff <william@yossarian.net>
2025-12-23 08:47:33 +00:00 · 2025-05-12 16:21:11 -04:00 · 2025-05-12 16:21:11 -04:00 · de2e68f63c
commit de2e68f63c
parent 37b1659709
3 changed files with 15 additions and 3 deletions
--- a/docs/assets/magiclink.css
+++ b/docs/assets/magiclink.css
--- a/docs/audits.md
+++ b/docs/audits.md
@ -1254,6 +1254,20 @@ regardless of definition order.

 ### Remediation

+!!! tip
+
+    There are several third-party tools that can automatically hash-pin
+    your workflows and actions for you:
+
+    - :simple-go: @suzuki-shunsuke/pinact: supports updating and hash-pinning
+      workflows, actions, and arbitrary inputs.
+    - :simple-python: @davidism/gha-update: supports updating and hash-pinning
+      workflow definitions.
+    - :simple-go: @stacklok/frizbee: supports hash-pinning (but not updating)
+      workflow definitions.
+
+        See also @stacklok/frizbee#184 for current usage caveats.
+
 For repository actions (like @actions/checkout): add a branch, tag, or SHA
 reference.

@ -1305,8 +1319,6 @@ For Docker actions (like `docker://ubuntu`): add an appropriate
        1. Or `actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683` for a SHA-pinned action.


-
-
 ## `unredacted-secrets`

 | Type     | Examples                | Introduced in | Works offline  | Enabled by default | Configurable |
--- a/mkdocs.yml
+++ b/mkdocs.yml
@ -102,7 +102,7 @@ validation:
  unrecognized_links: warn

 extra_css:
-  - magiclink.css
+  - assets/magiclink.css

 exclude_docs: |
  snippets/