Feature: support GitHub enterprise

[marcellodesales]

🎉 Support Github Enterprise Server/Cloud

• Just using the env.GITHUB_API_SERVER in case it's provided for ALL API calls without any fallback
• Use the config property as first precedence when configured through a config file

Ticket

• Fixes requirement at Github Enterprise Support #19

✅ Test Cases

• Updated with the verification of the new configs

📚 Docs

• Adding remarks
• Show config examples for the new config section

⌨️ Tests

• Setup

go install ./...

$ go env GOBIN GOPATH

/Users/mdesales/go

```console
$  /Users/mdesales/go/bin/gha-fix pin --help
Pin GitHub Actions used in workflow files (.yml or .yaml) to specific commit SHAs.

This command scans GitHub Actions in workflow files and replaces references like 'owner/repo@v1'
with specific commit SHAs like 'owner/repo@8843d7f53bd34e3b78f2acee556ba5d53feae7c4'.

Usage:
  pin [file1 file2 ...]

If no files are specified, all workflow files (.yml or .yaml) in the current directory
and subdirectories will be processed.

You can customize the behavior with the following options:
  --ignore-owners: Skip actions from specific owners (e.g., "actions,github")
  --ignore-repos: Skip specific repositories (e.g., "actions/checkout,docker/login-action")
  --strict-pinning-202508: Enable strict SHA pinning for composite actions (GitHub's SHA pinning enforcement policy)
  --api-server: Full GitHub API base URL (e.g., https://github.enterprise.company.com/api/v3/)

The --strict-pinning-202508 option implements support for GitHub's SHA pinning enforcement policy
announced in August 2025. When enabled:
  - Composite actions (e.g., actions/checkout@v4) will be pinned to SHAs even if owner is in ignore-owners
  - Reusable workflows (e.g., org/repo/.github/workflows/build.yml@main) still respect ignore-owners

This helps organizations comply with GitHub's security policies while maintaining flexibility
for reusable workflows. See: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/

Global options:
  --ignore-dirs: Skip specific directories when searching for workflow files (e.g., "node_modules,dist")

Note: GITHUB_TOKEN environment variable is required to fetch tags and commit SHAs from GitHub.

Usage:
  gha-fix pin [flags]

Flags:
      --api-server string                Full GitHub API base URL (e.g., https://github.enterprise.company.com/api/v3). When specified, you must provide 'github-enterprise-token'
      --github-enterprise-token string   GitHub Enterprise token for accessing the configured --api-server (can also be set via GITHUB_ENTERPRISE_TOKEN env var or pin.github-enterprise-token in config)
      --github-token string              GitHub token for accessing GitHub.com API (can also be set via GITHUB_TOKEN env var or pin.github-token in config)
  -h, --help                             help for pin
      --ignore-owners strings            Comma-separated list of owners to ignore
      --ignore-repos strings             Comma-separated list of repos to ignore in format owner/repo
      --strict-pinning-202508            Enable strict SHA pinning for composite actions (GitHub's SHA pinning enforcement policy)

Global Flags:
  -c, --config string         config file (default is ./gha-fix.yaml)
      --ignore-dirs strings   Comma-separated list of directory names to ignore when searching for workflow files (default [.git,node_modules,dist,out,vendor,.idea,.vscode,bin,build,tmp,coverage,.cache,__pycache__])
  -l, --log-level string      set log level (debug, info, warn, error) (default "info")

$ /Users/mdesales/go/bin/gha-fix pin --api-server https://github.company.com/api/v3 --github-enterprise-token ghp_gU********es
2025-12-30 17:31:15.067 INF no changes needed. all GitHub Actions are already pinned or no actions found.

⌨️ Test with wrong token

$ /Users/mdesales/go/bin/gha-fix pin --api-server https://github.company.com/api/v3 --github-token ghp_gUes
2025-12-30 17:29:21.030 ERR GitHub Enterprise token is required when using --api-server. Set --github-enterprise-token, pin.github-enterprise-token, or GITHUB_ENTERPRISE_TOKEN.

$ /Users/mdesales/go/bin/gha-fix pin --api-server https://github.company.com/api/v3 --github-enterprise-token ghp_g*****Ues
2025-12-30 13:29:46.107 ERR failed to pin actions error=failed to process file: action.yaml: failed to replace actions in file: action.yaml: failed to resolve version for seceng-devsecops-platform/wearerequired-slack-messaging-action@v3.0.0: failed to list tags for seceng-devsecops-platform/wearerequired-slack-messaging-action: GET https://github.company.com/api/v3/repos/seceng-devsecops-platform/wearerequired-slack-messaging-action/tags?per_page=100: 403  []

⌨️ Tests without Github.com token

• It may fail depending on your IP address
• It might just fail with a bad credential

$ /Users/mdesales/go/bin/gha-fix pin --api-server https://git.viasat.com/api/v3 --github-enterprise-token ghp_g******TUes --log-level debug
2025-12-30 15:58:05.929 DBG searching for workflow files to process
2025-12-30 15:58:05.931 DBG skipping directory path=build name=build
2025-12-30 15:58:05.937 DBG found workflow files count=15
2025-12-30 15:58:05.937 DBG processing file path=custom/load-mapped-repos-to-matrix/action.yaml
2025-12-30 15:58:05.940 DBG processing file path=docker/prisma-cloud-scan-reporter/action.yaml
2025-12-30 15:58:05.945 DBG processing file path=docker/sbom-reporter/action.yaml
2025-12-30 15:58:05.951 DBG processing file path=github/check-runs-create/action.yaml
2025-12-30 15:58:05.954 DBG processing file path=github/check-runs-synchronized/action.yaml
2025-12-30 15:58:05.958 DBG processing file path=github/check-runs-terminate/action.yaml
2025-12-30 15:58:05.961 DBG processing file path=github/ghas-dependabot-metadata/action.yaml
2025-12-30 15:58:05.967 DBG fetching tags for version resolution owner=actions repo=checkout page=0
2025-12-30 15:58:07.101 DBG fetching tags for version resolution owner=dependabot repo=fetch-metadata page=0
2025-12-30 15:58:07.430 DBG fallback to github.com owner=dependabot repo=fetch-metadata page=0
2025-12-30 15:58:08.449 ERR failed to pin actions error=failed to process file: github/ghas-dependabot-metadata/action.yaml: failed to replace actions in file: github/ghas-dependabot-metadata/action.yaml: failed to resolve version for dependabot/fetch-metadata@v2.3.0: failed to list tags for dependabot/fetch-metadata: GET https://api.github.com/repos/dependabot/fetch-metadata/tags?per_page=100: 401 Bad credentials []

⌨️ Tests with fallback

• When a github.com token is not provided, then the pin may also fail due to the fact of a rate limit...
• The example is with the dependabot action, which is NOT mirrored in Github Enterprise servers... Then, API calls to https://api.github.com/repos/dependabot/fetch-metadata/tags may also be throttled for a developer without an GITHUB_TOKEN.
• Actions from mirror repos, custom reusable actions included
• Actions that are NOT mirrored, and are checked with the github.com fallback

$ /Users/mdesales/go/bin/gha-fix pin --api-server https://github.company.com/api/v3 --github-enterprise-token ghp_gY***TUes --log-level debug
2025-12-30 15:58:05.929 DBG searching for workflow files to process
2025-12-30 15:58:05.931 DBG skipping directory path=build name=build
2025-12-30 15:58:05.937 DBG found workflow files count=15
2025-12-30 15:58:05.937 DBG processing file path=custom/load-mapped-repos-to-matrix/action.yaml
2025-12-30 15:58:05.940 DBG processing file path=docker/prisma-cloud-scan-reporter/action.yaml
2025-12-30 15:58:05.945 DBG processing file path=docker/sbom-reporter/action.yaml
2025-12-30 15:58:05.951 DBG processing file path=github/check-runs-create/action.yaml
2025-12-30 15:58:05.954 DBG processing file path=github/check-runs-synchronized/action.yaml
2025-12-30 15:58:05.958 DBG processing file path=github/check-runs-terminate/action.yaml
2025-12-30 15:58:05.961 DBG processing file path=github/ghas-dependabot-metadata/action.yaml
2025-12-30 15:58:05.967 DBG fetching tags for version resolution owner=actions repo=checkout page=0
2025-12-30 15:58:07.101 DBG fetching tags for version resolution owner=dependabot repo=fetch-metadata page=0
2025-12-30 15:58:07.430 DBG fallback to github.com owner=dependabot repo=fetch-metadata page=0
2025-12-30 15:58:08.449 ERR failed to pin actions error=failed to process file: github/ghas-dependabot-metadata/action.yaml: failed to replace actions in file: github/ghas-dependabot-metadata/action.yaml: failed to resolve version for dependabot/fetch-metadata@v2.3.0: failed to list tags for dependabot/fetch-metadata: GET https://api.github.com/repos/dependabot/fetch-metadata/tags?per_page=100: 401 Bad credentials []

• When the token is then provided for both the Enterprise and Github.com, then patching is always guaranteed as the Github.com Token rate limit is also risen.

$ /Users/mdesales/go/bin/gha-fix pin --api-server https://github.company.com/api/v3 --github-enterprise-token ghp_g****TUes --log-level debug --github-token ghp_5****3My1
2025-12-30 15:59:09.794 DBG searching for workflow files to process
2025-12-30 15:59:09.797 DBG skipping directory path=build name=build
2025-12-30 15:59:09.803 DBG found workflow files count=15
2025-12-30 15:59:09.803 DBG processing file path=custom/load-mapped-repos-to-matrix/action.yaml
2025-12-30 15:59:09.803 DBG processing file path=docker/prisma-cloud-scan-reporter/action.yaml
2025-12-30 15:59:09.804 DBG processing file path=docker/sbom-reporter/action.yaml
2025-12-30 15:59:09.804 DBG processing file path=github/check-runs-create/action.yaml
2025-12-30 15:59:09.805 DBG processing file path=github/check-runs-synchronized/action.yaml
2025-12-30 15:59:09.806 DBG processing file path=github/check-runs-terminate/action.yaml
2025-12-30 15:59:09.806 DBG processing file path=github/ghas-dependabot-metadata/action.yaml
2025-12-30 15:59:09.807 DBG fetching tags for version resolution owner=actions repo=checkout page=0
2025-12-30 15:59:10.742 DBG fetching tags for version resolution owner=dependabot repo=fetch-metadata page=0
2025-12-30 15:59:11.037 DBG fallback to github.com owner=dependabot repo=fetch-metadata page=0
2025-12-30 15:59:12.140 DBG fetching tags for version resolution owner=actions repo=github-script page=0
2025-12-30 15:59:12.489 INF file updated path=github/ghas-dependabot-metadata/action.yaml
2025-12-30 15:59:12.489 DBG processing file path=github/ghas-enablement-status/action.yaml
2025-12-30 15:59:12.511 INF file updated path=github/ghas-enablement-status/action.yaml
2025-12-30 15:59:12.511 DBG processing file path=github/mermaid-diagrams/gh-action/action.yaml
2025-12-30 15:59:12.529 INF file updated path=github/mermaid-diagrams/gh-action/action.yaml
2025-12-30 15:59:12.529 DBG processing file path=github/workflow-run-logs/action.yaml
2025-12-30 15:59:12.535 DBG processing file path=github/workflow-run-logs-grep/action.yaml
2025-12-30 15:59:12.540 DBG fetching tags for version resolution owner=seceng-devsecops-platform repo=qoomon-actions--context page=0
2025-12-30 15:59:12.881 DBG fetching commit SHA for branch owner=seceng-devsecops-platform repo=devsecops-platform-github-workflows ref=main
2025-12-30 15:59:13.221 INF file updated path=github/workflow-run-logs-grep/action.yaml
2025-12-30 15:59:13.221 DBG processing file path=messaging/slack-notification/action.yaml
2025-12-30 15:59:13.226 DBG fetching tags for version resolution owner=seceng-devsecops-platform repo=wearerequired-slack-messaging-action page=0
2025-12-30 15:59:13.549 INF file updated path=messaging/slack-notification/action.yaml
2025-12-30 15:59:13.549 DBG processing file path=messaging/slack-notification/arc_harden_runner_values.yaml
2025-12-30 15:59:13.550 DBG processing file path=platform/core/set-base-values/action.yaml
2025-12-30 15:59:13.553 DBG processing file path=platform/core/set-docker-image-settings/action.yaml
2025-12-30 15:59:13.557 INF successfully pinned GitHub Actions to specific commit SHAs changed=5

• Here's a full diff example where mirror actions are fetched locally
  • actions/checkout

diff --git a/actions/custom/load-mapped-repos-to-matrix/action.yaml b/actions/custom/load-mapped-repos-to-matrix/action.yaml
index 180d4ac..91018fe 100644
--- a/actions/custom/load-mapped-repos-to-matrix/action.yaml
+++ b/actions/custom/load-mapped-repos-to-matrix/action.yaml
@@ -21,7 +21,7 @@ runs:
   using: composite
   steps:
     - name: Checkout the customer .github repo
-      uses: actions/checkout@v4.2.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Read the entries in ${{ inputs.mirrored-repos-map-file }}
       shell: bash
diff --git a/actions/docker/prisma-cloud-scan-reporter/action.yaml b/actions/docker/prisma-cloud-scan-reporter/action.yaml
index 7171310..9d8060b 100644
--- a/actions/docker/prisma-cloud-scan-reporter/action.yaml
+++ b/actions/docker/prisma-cloud-scan-reporter/action.yaml
@@ -190,7 +190,7 @@ runs:
         fi
 
     - name: Add Prisma Cloud PR Comment
-      uses: seceng-devsecops-platform/marocchino-sticky-pull-request-comment-action@v2
+      uses: seceng-devsecops-platform/marocchino-sticky-pull-request-comment-action@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
       if: ${{ steps.scan-check.outputs.scan-report-generated == 'true' }}
       with:
         header: prisma-scan-result-${{ inputs.docker-image-repo-tag }}
diff --git a/actions/docker/sbom-reporter/action.yaml b/actions/docker/sbom-reporter/action.yaml
index 3268142..522a708 100644
--- a/actions/docker/sbom-reporter/action.yaml
+++ b/actions/docker/sbom-reporter/action.yaml
@@ -135,7 +135,7 @@ runs:
         fi
 
     - name: Add Docker SBOM PR Comment
-      uses: seceng-devsecops-platform/marocchino-sticky-pull-request-comment-action@v2
+      uses: seceng-devsecops-platform/marocchino-sticky-pull-request-comment-action@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
       if: ${{ steps.sbom-check.outputs.sbom-generated == 'true' && inputs.add-comment-to-current-pr == 'true' }}
       with:
         header: sbom-report-${{ inputs.docker-image-repo-tag }}
diff --git a/actions/github/check-runs-synchronized/action.yaml b/actions/github/check-runs-synchronized/action.yaml
index 939cb7a..efd8c1c 100644
--- a/actions/github/check-runs-synchronized/action.yaml
+++ b/actions/github/check-runs-synchronized/action.yaml
@@ -44,7 +44,7 @@ runs:
       shell: bash
 
     - name: Synchronize on all workflows in the current PR with currently defined PR checks
-      uses: seceng-devsecops-platform/wechuli-allcheckspassed@v2.1.0
+      uses: seceng-devsecops-platform/wechuli-allcheckspassed@f423b273f5fdf73582e41f8f6f0f204d69c27379 # v2.1.0
       with:
           token: ${{ inputs.github-token }}
           # https://github.com/marketplace/actions/allcheckspassed#fail-fast
diff --git a/actions/github/ghas-dependabot-metadata/action.yaml b/actions/github/ghas-dependabot-metadata/action.yaml
index ccf6b1d..5cec368 100644
--- a/actions/github/ghas-dependabot-metadata/action.yaml
+++ b/actions/github/ghas-dependabot-metadata/action.yaml
@@ -25,11 +25,11 @@ runs:
   using: composite
   steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
     
     - name: Dependabot metadata
       id: metadata
-      uses: dependabot/fetch-metadata@v2.3.0
+      uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7 # v2.3.0
       with:
         github-token: "${{ inputs.github-token }}"
         # Warning: Dependabot's commit signature is not verified, refusing to proceed.
@@ -76,7 +76,7 @@ runs:
     
     - name: Add PR comment with metadata
       id: pr-metadata
-      uses: actions/github-script@v7
+      uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
       with:
         github-token: ${{ inputs.github-token }}
         script: |
diff --git a/actions/github/ghas-enablement-status/action.yaml b/actions/github/ghas-enablement-status/action.yaml
index c6b718f..fdf3160 100644
--- a/actions/github/ghas-enablement-status/action.yaml
+++ b/actions/github/ghas-enablement-status/action.yaml
@@ -25,7 +25,7 @@ runs:
   using: composite
   steps:
     - name: Check if GHAS is enabled
-      uses: actions/github-script@v7
+      uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
       id: status
       with:
         github-token: ${{ inputs.github-token }}
diff --git a/actions/github/mermaid-diagrams/gh-action/action.yaml b/actions/github/mermaid-diagrams/gh-action/action.yaml
index 457d3fc..a89919b 100644
--- a/actions/github/mermaid-diagrams/gh-action/action.yaml
+++ b/actions/github/mermaid-diagrams/gh-action/action.yaml
@@ -37,7 +37,7 @@ runs:
   steps:
     - name: Convert action to Mermaid + Usage
       id: action-diagram
-      uses: actions/github-script@v7
+      uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
       env:
         ORG_REPO_URL: ${{ inputs.org-repo-url }}
         TARGET_REF: ${{ inputs.ref }}
diff --git a/actions/github/workflow-run-logs-grep/action.yaml b/actions/github/workflow-run-logs-grep/action.yaml
index 472b2fc..c74a5cc 100644
--- a/actions/github/workflow-run-logs-grep/action.yaml
+++ b/actions/github/workflow-run-logs-grep/action.yaml
@@ -57,7 +57,7 @@ runs:
   steps:
     - name: Fetch additional workflow properties
       id: workflow-metadata
-      uses: seceng-devsecops-platform/qoomon-actions--context@v4
+      uses: seceng-devsecops-platform/qoomon-actions--context@33b43056fae95271265b29b702dcf5ea3f7708b2 # v4.0.3
 
     - name: View Envs and Outputs
       shell: bash
@@ -74,7 +74,7 @@ runs:
 
     - name: Retrieve the logs from the workflow
       id: workflow-logs
-      uses: seceng-devsecops-platform/devsecops-platform-github-workflows/actions/github/workflow-run-logs@main
+      uses: seceng-devsecops-platform/devsecops-platform-github-workflows/actions/github/workflow-run-logs@719d0b2e862fe65704d1ed53048bc8fe93e1dd61 # main
       with:
         github-org-repo: ${{ inputs.github-org-repo }}
         github-token: ${{ inputs.github-token }}
diff --git a/actions/messaging/slack-notification/action.yaml b/actions/messaging/slack-notification/action.yaml
index 05d9f95..855c260 100644
--- a/actions/messaging/slack-notification/action.yaml
+++ b/actions/messaging/slack-notification/action.yaml
@@ -131,7 +131,7 @@ runs:
     - id: message
       if: ${{ inputs.messageId == '' }}
       name: New message without updating
-      uses: seceng-devsecops-platform/wearerequired-slack-messaging-action@v3.0.0
+      uses: seceng-devsecops-platform/wearerequired-slack-messaging-action@b8d341605efb42cb7ca093a88faaffee59176928 # v3.0.0
       with:
         bot_token: ${{ inputs.slackBotToken }}
         channel_id: ${{ inputs.channelId }}
@@ -140,7 +140,7 @@ runs:
     - id: message_update
       if: ${{ inputs.messageId != '' }}
       name: Update existing message ${{ inputs.messageId }}
-      uses: seceng-devsecops-platform/wearerequired-slack-messaging-action@v3.0.0
+      uses: seceng-devsecops-platform/wearerequired-slack-messaging-action@b8d341605efb42cb7ca093a88faaffee59176928 # v3.0.0
       with:
         bot_token: ${{ inputs.slackBotToken }}
         channel_id: ${{ inputs.channelId }}