actioneer scans GitHub Actions workflows, finds outdated uses: references, and can rewrite them to newer versions or pinned SHAs.
brew install luxass/homebrew-tap/actioneercargo install --locked actioneermacOS and Linux:
curl -fsSL https://raw.githubusercontent.com/luxass/actioneer/main/install.sh | shThe installer uses Homebrew if available, otherwise downloads the correct release for your platform and installs actioneer into ~/.local/bin by default.
You can override the target directory with ACTIONEER_INSTALL_DIR, and pin a specific release with ACTIONEER_VERSION.
Windows can use the release archives from GitHub Releases.
actioneer --dry-run
actioneer --yes
actioneer auditBy default, actioneer scans .github. Use --recursive to scan from the current directory, or pass a file or directory explicitly.
- Finds GitHub Actions references in workflow YAML.
- Resolves newer tags through the GitHub API.
- Rewrites references either as SHAs or preserved tags.
- Detects SHA/comment mismatches before you trust pinned actions.
- Supports interactive use, CI validation, and JSON output.
- Updates are currently rewritten as pinned SHAs with version comments.
auditexits non-zero on SHA/comment mismatches.- Interactive selection requires a TTY.
- Set
GITHUB_TOKENif you want higher GitHub API rate limits. - Workflow security analysis runs in CI via
zizmor.
This repository uses zizmor to statically analyze GitHub Actions workflows.
zizmor itself is a Rust tool, and the upstream project ships both a Cargo-installable CLI and a GitHub Action wrapper.
For local use, install it with Cargo:
cargo install --locked zizmor
just zizmor .The CI integration lives in .github/workflows/zizmor.yaml and uploads results through GitHub code scanning.
Build the Rust CLI directly:
cargo build
./target/debug/actioneer --helpFor local iteration:
cargo run -- --dry-run
cargo testPublished under MIT License.