zgosalvez
diff --git a/‎.eslintignore
+1 b/‎.eslintignore
+1
diff --git a/‎.eslintrc.json
+17 b/‎.eslintrc.json
+17
diff --git a/‎.gitattributes
+1 b/‎.gitattributes
+1
diff --git a/‎.gitignore
+67 b/‎.gitignore
+67
diff --git a/‎LICENSE.md
+21 b/‎LICENSE.md
+21
diff --git a/‎README.md
+35 b/‎README.md
+35
diff --git a/‎action.yml
+11 b/‎action.yml
+11
@@ -0,0 +1 @@
+dist/
@@ -0,0 +1,17 @@
+{
+    "env": {
+        "commonjs": true,
+        "es6": true,
+        "node": true
+    },
+    "extends": "eslint:recommended",
+    "globals": {
+        "Atomics": "readonly",
+        "SharedArrayBuffer": "readonly"
+    },
+    "parserOptions": {
+        "ecmaVersion": 2018
+    },
+    "rules": {
+    }
+}
@@ -0,0 +1 @@
+dist/** -diff linguist-generated=true 
@@ -0,0 +1,67 @@
+node_modules/
+
+# Editors
+.vscode/
+.idea/
+*.iml
+
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+
+# nyc test coverage
+.nyc_output
+
+# Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+bower_components
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+build/Release
+
+# Other Dependency directories
+jspm_packages/
+
+# TypeScript v1 declaration files
+typings/
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# dotenv environment variables file
+.env
+
+# next.js build output
+.next
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 Zennon Gosalvez
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
@@ -0,0 +1,35 @@
+# GitHub Action — Ensure SHA Pinned Actions
+
+This GitHub Action (written in JavaScript) allows you to leverage GitHub Actions to ensure that GitHub Actions are pinned to full length commit SHAs. For more information, see "[using third-party actions](https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions)."
+
+## Usage
+### Pre-requisites
+Create a workflow `.yml` file in your `.github/workflows` directory. An [example workflow](#example-workflow---create-a-release) is available below. For more information, reference the GitHub Help Documentation for [Creating a workflow file](https://help.github.com/en/articles/configuring-a-workflow#creating-a-workflow-file).
+
+### Inputs
+None. This action will automatically scan for workflows in the `.github/wokrflows` directory.
+
+### Outputs
+None. This action will throw an error if it finds GitHub Actions that are not pinned to full length commit SHAs.
+
+### Common workflow
+
+Ideally, set this up as an initial job for your workflows. For example:
+```yaml
+on: push
+
+name: Continuous Integration
+
+jobs:
+  harden_security:
+    name: Harden Security
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
+      - name: Ensure SHA pinned actions
+        uses: zgosalvez/[email protected] # Replace this
+```
+
+## License
+The scripts and documentation in this project are released under the [MIT License](LICENSE)
@@ -0,0 +1,11 @@
+# https://github.com/actions/javascript-action
+
+name: 'Ensure SHA Pinned Actions'
+description: 'Ensure that GitHub Actions are pinned to full length commit SHAs'
+author: 'Zennon Gosalvez'
+runs:
+  using: 'node12'
+  main: 'dist/index.js'
+branding:
+  icon: shield
+  color: gray-dark