Adding refme to manage GitHub Action references.

metcalfc · metcalfc · commit b9565d41f001 · 2025-03-18T13:33:11.000-07:00
refme will automatically convert git refs into full git hashes. This eliminates one class of Action attack.
diff --git a/.github/workflows/branchtest.yaml b/.github/workflows/branchtest.yaml
@@ -12,6 +12,7 @@ jobs:
 
       - name: Generate changelog
         id: changelog
+        # refme: ignore
         uses: metcalfc/changelog-generator@main
         with:
           myToken: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -10,13 +10,15 @@ jobs:
         uses: actions/checkout@v4
       - name: Generate changelog
         id: changelog
+        # refme: ignore
         uses: metcalfc/changelog-generator@main
         with:
           myToken: ${{ secrets.GITHUB_TOKEN }}
           head-ref: 'v0.0.2'
           base-ref: 'v0.0.1'
       - name: Reverse the generated changelog
         id: changelog-rev
+        # refme: ignore
         uses: metcalfc/changelog-generator@main
         with:
           myToken: ${{ secrets.GITHUB_TOKEN }}
@@ -25,6 +27,7 @@ jobs:
           reverse: 'true'
       - name: Explicitly do not reverse the generated changelog
         id: changelog-notrev
+        # refme: ignore
         uses: metcalfc/changelog-generator@main
         with:
           myToken: ${{ secrets.GITHUB_TOKEN }}
@@ -55,6 +58,7 @@ jobs:
           EOF
       - name: Generate changelog from release
         id: release
+        # refme: ignore
         uses: metcalfc/changelog-generator@main
         with:
           myToken: ${{ secrets.GITHUB_TOKEN }}
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -13,13 +13,15 @@
     "postversion": "git push && git push --tags",
     "precommit-msg": "echo 'Pre-commit checks...' && exit 0",
     "precommit": "npm run build && git add dist/",
+    "refme": "npm exec gh-refme -- convert ./.github/workflows/*",
     "test": "echo \"Error: no test specified\" && exit 1",
     "version": "npm run bump:readme && npm run bump:workflow && git add ./dist ./README.md ./SECURITY.md ./.github/workflows/*yml"
   },
   "pre-commit": [
     "precommit-msg",
     "lint",
     "format-check",
+    "refme",
     "precommit"
   ],
   "repository": {
@@ -47,9 +49,10 @@
     "@actions/github": "^6.0.0"
   },
   "devDependencies": {
+    "@eslint/js": "^9.22.0",
     "@vercel/ncc": "^0.38.3",
     "eslint": "^9.22.0",
-    "@eslint/js": "^9.22.0",
+    "gh-refme": "^1.5.0",
     "globals": "^16.0.0",
     "isexe": "^3.1.1",
     "pre-commit": "^1.2.2",
