require-forgejo-actions-pinned-sha
Require Forgejo workflow uses: references to pin third-party actions/workflows to full commit SHAs.
Targeted pattern scopeâ
This rule scans .forgejo/workflows/*.{yml,yaml} and inspects uses: references.
It accepts:
- local actions (
uses: ./path/to/action) - docker references (
uses: docker://...) - third-party actions/workflows pinned to a full 40-character SHA
It reports mutable refs such as tags (@v4) and branches (@main).
What this rule reportsâ
This rule reports Forgejo workflow uses: entries that are not pinned to immutable full-length commit SHAs.
Why this rule existsâ
Forgejo Actions uses the same uses: workflow model and supports referencing remote action repositories by Git ref. Mutable refs can move over time. Pinning to full commit SHAs makes workflow dependencies immutable and auditable.
â Incorrectâ
// .forgejo/workflows/ci.yml
name: CI
on:
push:
jobs:
test:
runs-on: docker
steps:
- uses: actions/checkout@v4
â Correctâ
// .forgejo/workflows/ci.yml
name: CI
on:
push:
jobs:
test:
runs-on: docker
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
// local actions are valid
- uses: ./actions/my-local-action
ESLint flat config exampleâ
import repoPlugin from "eslint-plugin-repo";
export default [
repoPlugin.configs.codeberg,
{
plugins: { "repo-compliance": repoPlugin },
rules: {
"repo-compliance/require-forgejo-actions-pinned-sha": "error",
},
},
];
When not to use itâ
Disable this rule only if action ref immutability is enforced outside the repository (for example by server-side policy or mirror-controlled action refs).
Rule catalog ID: R026
Further readingâ
Adoption resourcesâ
- Use with
require-forgejo-actions-workflow-permissionsfor stronger Forgejo workflow hardening. - Start by pinning internet-fetched actions first, then local mirrors.