Shunsuke Suzuki

Release v0.2.2 · suzuki-shunsuke/ghtkn v0.2.1...v0.2.2 🐛 Bug Fixes #94 Fix a bug of ghtkn init command that the abandoned persist field is included in generated configuration files persist field was abandoned at v0.2.0.

The field `persist` was abandoned.
I fixed.
github.com/suzuki-shuns...

YouTube video by Cloud Posse DevOps "Office Hours" (2025-09-17)

ghtkn was featured in DevOps "Office Hours" (2025-09-17) 🎉
www.youtube.com/watch?v=jCgK...

GitHub - suzuki-shunsuke/ghtkn: A CLI to create GitHub App User Access Token for secure local development A CLI to create GitHub App User Access Token for secure local development - suzuki-shunsuke/ghtkn

My new OSS project, ghtkn, is out!
It’s a CLI tool for creating user access tokens for a GitHub App via Device Flow, designed for secure local development.
No more relying on long-lived access tokens.
github.com/suzuki-shuns...

Introducing ghtkn — Your Safer GitHub Token Solution Are you still relying on long-lived GitHub tokens—like Personal Access Tokens (PATs) or OAuth tokens...

Introducing ghtkn — Your Safer GitHub Token Solution
dev.to/suzukishunsu...

GitHub - google/wire: Compile-time Dependency Injection for Go Compile-time Dependency Injection for Go. Contribute to google/wire development by creating an account on GitHub.

google/wire was archived.
github.com/google/wire

Release v3.4.1 · suzuki-shunsuke/pinact Pull Requests | Issues | v3.4.0...v3.4.1 🐛 Bug Fixes #1083 Fix the error message if it fails to handle a line

pinact v3.4.1 is out 🎉
Fix the confusing error message `action isn't pinned` when it fails to handle a line due to GitHub API error.
github.com/suzuki-shuns...

Release v3.4.0 · suzuki-shunsuke/pinact Pull Requests | Issues | v3.3.2...v3.4.0 Features #1082 Support fixing or excluding only specific actions You can now fix only specific actions using the -include (-i) <regular expression> option. ...

pinact v3.4.0 is out 🎉
You can now fix or exclude only specific actions by regular expression using command line options.
github.com/suzuki-shuns...

Release v1.18.0 · suzuki-shunsuke/tfaction Issues | Pull Requests | v1.17.0...v1.18.0 | Base revision Features #2777 #2780 #2785 #2789 #2792 #2793 #2794 #2796 #2833 #2838 Support creating commits and pull requests by Securefix Action You ca...

tfaction v1.18.0 🎉
Now tfaction can create commits and pull requests using Securefix Action.
It improves the security of your Terraform workflows.
github.com/suzuki-shuns...

Release v0.2.0 · csm-actions/securefix-action Issues | Pull Requests | v0.1.0...v0.2.0 | Base revision Overview Breaking Changes #164 The process label deletion was moved from the client side to the server side Features #123 Support pushi...

Securefix Action v0.2.0 🎉
You can now change the repository and branch where a commit is pushed.
You can also create pull requests.
You can replace insecure commit and pr generation with Securefix Action, elevating the security to the next level.
github.com/csm-actions/...

Release v0.0.8 · suzuki-shunsuke/validate-pr-review-action Issues | Pull Requests | v0.0.7...v0.0.8 | Base revision Features #182 Support merge_group event by default

validate-pr-review-action v0.0.8 🎉
Supported `merge_group` event without any settings.
github.com/suzuki-shuns...

🍻 tfmv 🍻

CLI to rename Terraform resources and generate moved blocks

🔗 https://github.com/suzuki-shunsuke/tfmv

#homebrew #newpkg #macos #linux #formula

🍻 ghalint 🍻

GitHub Actions linter

🔗 https://github.com/suzuki-shunsuke/ghalint

#homebrew #newpkg #macos #linux #formula

TIL: Aqua CLI Version Manager
www.ianlewis.org/til/2025/04/...

🍻 You can now install tfcmt using the official Homebrew Formula 🍻

GitHub - suzuki-shunsuke/validate-pr-review-action: GitHub Action to validate pull request reviews GitHub Action to validate pull request reviews. Contribute to suzuki-shunsuke/validate-pr-review-action development by creating an account on GitHub.

I've released a new GitHub Action to validate pull request reviews.
It enforces the requirement for reviews and prevents pull requests from being merged without proper review.
github.com/suzuki-shuns...

Release v2.51.1 · aquaproj/aqua Pull Requests | Issues | v2.51.0...v2.51.1 Features #3852 #3853 Support managing a GitHub access token using Keyring You can now manage a GitHub Access token using secret store such as Windows Cred...

aqua v2.51.1 is out 🎉
You can now manage a GitHub Access token using secret store such as Windows Credential Manager, macOS Keychain, and GNOME Keyring.
github.com/aquaproj/aqu...

GitHub - csm-actions/approve-pr-action: GitHub Action to approve pull requests securely GitHub Action to approve pull requests securely. Contribute to csm-actions/approve-pr-action development by creating an account on GitHub.

Approve PR Action allows you to approve pull requests created by reliable apps like Renovate and Dependabot by machine users automatically.
You can manage PAT securely without sharing it across repositories.
github.com/csm-actions/...

GitHub - csm-actions/update-branch-action: GitHub Action to update pull request branches securely GitHub Action to update pull request branches securely - csm-actions/update-branch-action

Update Branch Action allows you to update pull request branches in CI securely.
github.com/csm-actions/...

GitHub - csm-actions/securefix-action: GitHub Action to fix code securely GitHub Action to fix code securely. Contribute to csm-actions/securefix-action development by creating an account on GitHub.

Securefix Action allows you to fix pull requests securely.
github.com/csm-actions/...

And I built some actions based on this model.
securefix-action, update-branch-action, and approve-pr-action.

GitHub - csm-actions/docs: Client / Server Model document Client / Server Model document. Contribute to csm-actions/docs development by creating an account on GitHub.

I wrote the document about the Client/Server Model to make GitHub Actions secure.
You can protect server workflows with strong permissions and credentials by separating them from client workflows.
For details, please see the document.
github.com/csm-actions/...

pinact solves the problem of malware inside GitHub actions (already happening in practice).

It automatically pins actions to a specific commit (since regular version tags can be re-released) and updates them later.

It’s like a lockfile, but for CI.

github.com/suzuki-shuns...

Release v3.0.0 · suzuki-shunsuke/pinact Pull Requests | Issues | v2.2.1...v3.0.0 ⚠ Breaking Changes NoteIf you don't use pinact configuration file .pinact.yaml, you don't need to do anything. #855 Change the default schema version to 3 ...

pinact v3 is out 🎉
There are several breaking changes.
These changes make pinact securer by default.
For more details, please check the release note out.
github.com/suzuki-shuns...

Do you pin GitHub Actions versions to full length commit hash?
If so, how about verifying checksums when downloading assets from GitHub Releases or somewhere?
You can verify checksums and update checksums easily using aqua.
aquaproj.github.io/docs/guides/...

Release v2.0.0 · suzuki-shunsuke/cmdx Pull Requests | Issues | v1.7.7...v2.0.0 ⚠️ Breaking Changes The default shell is changed from sh to bash -euo pipefail. If bash isn't available, sh is used. The format of pre-built binaries for W...

cmdx v2.0.0 is out 🎉
- The default shell is changed from sh to `bash -euo pipefail`. If bash isn't available, sh is used.
- The format of pre-built binaries for Windows is changed from tar.gz to zip
github.com/suzuki-shuns...

Support custom permissions · Issue #3 · actions/create-github-app-token follow up to: 2d5eced Our idea is to add separate permission_* parameters for each permission supported by GitHub Apps: https://docs.github.com/en/rest/overview/permissions-required-for-github-apps...

actions/create-github-app-token has supported custom permissions 🎉
github.com/actions/crea...
github.com/actions/crea...

GitHub Star History View and compare GitHub star history graph of open source projects.

www.star-history.com#suzuki-shuns...

GitHub - suzuki-shunsuke/pinact: pinact is a CLI to edit GitHub Workflow and Composite action files and pin versions of Actions and Reusable Workflows. pinact can also update their versions and verify... pinact is a CLI to edit GitHub Workflow and Composite action files and pin versions of Actions and Reusable Workflows. pinact can also update their versions and verify version annotations. - suzuki...

github.com/suzuki-shuns...

The number of stars for pinact increased by about 90 due to the tj-actions incident. 💫

Pin GitHub Actions to a full length commit SHA for Security Last weekend, the popular GitHub Action tj-actions/changed-files was...

This post introduces how to pin GitHub Action versions across all repositories in your organization.

Pin GitHub Actions to a full length commit SHA for Security
dev.to/suzukishunsu...