Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package pinact for openSUSE:Factory checked in at 2026-05-29 18:11:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pinact (Old) and /work/SRC/openSUSE:Factory/.pinact.new.1937 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pinact" Fri May 29 18:11:17 2026 rev:12 rq:1355842 version:4.0.0 Changes: -------- --- /work/SRC/openSUSE:Factory/pinact/pinact.changes 2026-05-16 19:27:05.696355143 +0200 +++ /work/SRC/openSUSE:Factory/.pinact.new.1937/pinact.changes 2026-05-29 18:12:54.852902998 +0200 @@ -1,0 +2,217 @@ +Fri May 29 07:18:19 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 4.0.0: + * Breaking Changes + - #1540 Removed the -review option + Output SARIF and pass it to reviewdog. This has been + announced previously. + + pinact run -format sarif | + reviewdog -f sarif -name pinact -reporter github-pr-review + + * #1540 Always output diff + Even if you specify -diff=false, it is ignored. + * #1540 -diff and -check are now aliases for -fix=false + This simplifies the logic, making it easier to understand and + less prone to bugs. + * #1540 -verify is now an alias for --verify-comment + -verify was unclear about what was being verified, so it has + been renamed for clarity. + However, -verify is kept as-is to maintain backward + compatibility. + * #1458 #1558 Version comments are now required @ManuelLerchnerQC + For SHAs without a version comment, pinact automatically adds a + version comment (validation error if -fix=false). + + $ pinact run test.yaml + test.yaml:1 + - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + Specifying a version comment makes it easier to see which + version is being used, and makes it easier for tools like + Renovate and Dependabot to update. + It also has security implications. + For GitHub Actions versions, you can also specify the SHA of a + commit in a fork. + This means it could point to a malicious commit in a fork. + If you specify only the SHA without a version comment, you + cannot tell whether it is the SHA of a commit in a fork. + By requiring version comments, you can verify that the version + comment matches the SHA using the --verify-comment option. + Even if a fake version comment is added to a fork's SHA, it can + be detected by --verify-comment. + An attacker could also create a tag pointing to a fork's SHA, + but creating a tag requires write permission, which raises the + bar for attacks, so this can be said to improve security. + Of course, this is only meaningful if you verify with + --verify-comment, so it is recommended to run pinact with + --verify-comment in CI. + * Features + - -no-api: support for offline validation + If you just want to check whether something is pinned, you + don't really need to use the GitHub API, but previously the + GitHub API was called. + With the -no-api option, you can validate without calling the + GitHub API. + However, since API calls are currently essential for fixing + code (this may change in the future if caching is supported), + you need to specify either -fix=false or -format sarif. + Implicitly treating it as -fix=false could cause behavior to + change and become a breaking change when caching is + supported, so it must currently be specified explicitly. + - You can now check whether the version being used satisfies + min age, not just newer versions + For example, you can run it in CI against modified lines to + check whether any dangerous versions that do not satisfy min + age are being used. + This is not checked by default, but is checked when you run + pinact run --verify-min-age or pinact run -min-age <min age>. + - More flexible min age support via rules + min age can now be configured in the configuration file. + Additionally, by using rules, you can apply settings such as + min age to specific actions. + + min_age: + value: 7 # default setting + rules: + # Allow latest for suzuki-shunsuke's actions + - ignore: true + conditions: + - expr: | + ActionRepoOwner == "suzuki-shunsuke" && ActionVersion == "latest" + # Set min age to 0 for actions/checkout + - min_age: 0 + conditions: + - expr: | + ActionRepoFullName == "actions/checkout" + + For rules, conditions are evaluated per rule, and the + settings are applied if matched. + You can write multiple conditions, and the settings are + applied if any one of the conditions matches. + expr follows https://expr-lang.org/docs/language-definition. + Please read the documentation for details. + The settings of rules listed later in rules take precedence. + - Support for a global configuration file + Warning + If you have set the PINACT_MIN_AGE environment variable in + ~/.bashrc, ~/.zshrc, etc., it is recommended to remove it + and use a global configuration file instead. + PINACT_MIN_AGE takes precedence over the configuration + file, so it overrides the project's settings. + On the other hand, global settings are merged with lower + priority than the project's settings. + If you want to enforce the setting, PINACT_MIN_AGE is + suitable, but for default settings, a global configuration + file is more appropriate. + Note also that environment variables do not allow flexible + settings like rules. + A global configuration file is now supported. + The file path is searched in the following order of priority: + - $PINACT_GLOBAL_CONFIG + - ${XDG_CONFIG_HOME}/pinact/pinact.yaml + - ${HOME}/.config/pinact/pinact.yaml + rules are prepended before the rules in the project + configuration file. + So project settings take precedence over global settings. + - Automatic correction of version comments via -verify-comment + If the SHA and the version comment do not match, the version + comment is automatically corrected to match the SHA. + Previously, it would just return an error, but now it is + automatically corrected. + - -diff-file: limit pinact's targets to only the changed lines + If you specify a file in Unified Diff Format via -diff-file, + you can limit pinact's targets to only the changed lines. + By passing the PR's diff file in PR CI, you can reduce + unnecessary API calls and prevent corrections or errors from + code unrelated to the PR's changes. + This makes it easier to introduce pinact via Required + Workflow across an entire GitHub Organization of a large + development organization. + To improve the overall health of a development organization, + it is desirable to introduce pinact via Required Workflow. + However, if you suddenly introduce pinact as a Required + Workflow in an Organization that has a lot of originally + unpinned code, errors and corrections unrelated to the PR's + changes will occur everywhere, causing confusion. + When errors occur in places unrelated to the PR's changes, + the PR author thinks "what is this error?", "wait, do I have + to fix this? It's unrelated to this PR so I want to split the + PR, but creating a PR is a hassle." + It is also possible that the same error occurs in multiple + PRs, and each one independently performs redundant fixing + work. + Inquiries about errors come in from various teams, generating + unnecessary costs. + If you try to fix everything before introducing the Required + Workflow, it takes time to introduce, and during that time + the bad situation continues where new unpinned code keeps + increasing. + On the other hand, if you can fix and validate only the lines + changed in a PR, the PR author can more easily accept making + the fix, and there is no need to split the PR. + However, this alone does not pin existing code, so in + parallel with this, you still need to run pinact against each + repository and create PRs. + How do you generate the file specified by -diff-file? You can + easily generate it using the action + https://github.com/suzuki-shunsuke/pr-unified-diff-action. + + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: suzuki-shunsuke/pr-unified-diff-action@c932c1df5f577028d8ca05d2d3c0c059072d8821 # v0.0.1 + id: diff + - uses: suzuki-shunsuke/pinact-action@896d595f299e71d65b9d28349d6956abe144390a # v3.0.0 + with: + diff_file: ${{ steps.diff.outputs.diff_path }} + * Changelog + - fix(deps): update module github.com/google/go-github/v87 to + v88 (#1564) + - fix(run): filter --diff-file targets by workflow patterns + (#1562) + - chore(deps): update dependency aquaproj/aqua-registry to + v4.516.0 (#1559) + - feat!: error when SHA-pinned action has no version comment + (#1558) + - fix(run): use --diff-file as the file source when no + args/config (#1557) + - feat(verify): auto-correct version comments to match actual + SHA (#1435) + - fix(run): normalize --diff-file paths to forward slashes for + Windows (#1552) + - feat: add version comment to pinned actions missing + annotation (#1458) + - fix: honor rules[].min_age in update-target cooldown filter + (#1556) + - chore(deps): update dependency aquaproj/aqua-registry to + v4.515.0 (#1555) + - docs: fix a broken link (#1554) + - fix(deps): update module github.com/google/go-github/v86 to + v87 (#1550) + - chore(deps): update dependency aquaproj/aqua-registry to + v4.514.0 (#1549) + - chore(deps): update dependency aquaproj/aqua-registry to + v4.513.1 (#1548) + - feat(run): add --diff-file to process only PR-changed lines + (#1547) + - chore(deps): update dependency aquaproj/aqua-renovate-config + to v2.12.1 (#1546) + - chore(deps): update dependency aquaproj/aqua-registry to + v4.513.0 (#1545) + - feat(config): merge global and project configs field-by-field + (#1543) + - chore(deps): update suzuki-shunsuke/go-autofix-action action + to v0.1.12 (#1544) + - feat(config): PINACT_GLOBAL_CONFIG env var overrides the + global config path (#1542) + - v4 spec implementation (#1540) + - chore(deps): update dependency aquaproj/aqua-registry to + v4.512.1 (#1541) + - chore(deps): update dependency aquaproj/aqua to v2.59.0 + (#1539) + - chore(deps): update dependency suzuki-shunsuke/pinact to + v3.10.1 (#1537) + +------------------------------------------------------------------- Old: ---- pinact-3.10.1.obscpio New: ---- pinact-4.0.0.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pinact.spec ++++++ --- /var/tmp/diff_new_pack.9FZc2R/_old 2026-05-29 18:12:56.508971902 +0200 +++ /var/tmp/diff_new_pack.9FZc2R/_new 2026-05-29 18:12:56.512972069 +0200 @@ -17,7 +17,7 @@ Name: pinact -Version: 3.10.1 +Version: 4.0.0 Release: 0 Summary: CLI to edit GitHub Workflows and pin versions of Actions and Reusable Workflows License: MIT ++++++ _service ++++++ --- /var/tmp/diff_new_pack.9FZc2R/_old 2026-05-29 18:12:56.556973900 +0200 +++ /var/tmp/diff_new_pack.9FZc2R/_new 2026-05-29 18:12:56.560974066 +0200 @@ -3,7 +3,7 @@ <param name="url">https://github.com/suzuki-shunsuke/pinact.git</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">refs/tags/v3.10.1</param> + <param name="revision">refs/tags/v4.0.0</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.9FZc2R/_old 2026-05-29 18:12:56.592975397 +0200 +++ /var/tmp/diff_new_pack.9FZc2R/_new 2026-05-29 18:12:56.592975397 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/suzuki-shunsuke/pinact.git</param> - <param name="changesrevision">9ef46dc5d3e9b2c6873861cc75a27802ea8850aa</param></service></servicedata> + <param name="changesrevision">6cdb1d4b0915dcb0888d0959dd96bd715d8d45e6</param></service></servicedata> (No newline at EOF) ++++++ pinact-3.10.1.obscpio -> pinact-4.0.0.obscpio ++++++ ++++ 8085 lines of diff (skipped) ++++++ pinact.obsinfo ++++++ --- /var/tmp/diff_new_pack.9FZc2R/_old 2026-05-29 18:12:56.916988878 +0200 +++ /var/tmp/diff_new_pack.9FZc2R/_new 2026-05-29 18:12:56.936989711 +0200 @@ -1,5 +1,5 @@ name: pinact -version: 3.10.1 -mtime: 1778821208 -commit: 9ef46dc5d3e9b2c6873861cc75a27802ea8850aa +version: 4.0.0 +mtime: 1779642427 +commit: 6cdb1d4b0915dcb0888d0959dd96bd715d8d45e6 ++++++ vendor.tar.gz ++++++ ++++ 220658 lines of diff (skipped)
