Introduction
gopin is a CLI tool that automatically pins versions of go install commands in your files for reproducible builds and enhanced security. It scans your Makefiles and GitHub Actions workflows to convert @latest to specific semantic versions.
Quick Start
Installation:
go install github.com/nnnkkk7/gopin/cmd/gopin@latest
Why gopin?
Using @latest in go install commands creates several problems:
- No reproducibility: Different runs may install different versions
- Security risk: A malicious version could be installed unknowingly
- CI/CD instability: Team members might use different tool versions
- Debugging difficulty: Hard to reproduce past builds
gopin solves these by automatically updating all go install commands to the latest specific semantic versions.
Features
- Pin
@latestto specific versions (e.g.,@latest→@v2.6.2) - Update outdated pinned versions (e.g.,
@v1.0.0→@v2.6.2) - Add missing versions to commands without them
- Configurable via
.gopin.yaml - Supports Makefiles, GitHub Actions workflows, and custom file patterns
Example
Before:
go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
After running gopin run:
go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.6.2
Basic Usage
# Pin all @latest versions in target files
gopin run
# Preview changes without applying
gopin run --dry-run
# Check for unpinned versions (useful for CI)
gopin check
# List all go install commands
gopin list
How It Works
- Scans files matching configured patterns (default: Makefiles,
.github/**/*.yml) - Detects
go install <module>@<version>patterns using regex - Queries
proxy.golang.orgfor the latest version - Rewrites files with pinned versions
For more details, see the repository: GitHub - nnnkkk7/gopin: CLI tool to automatically pin go install versions for reproducible builds and enhanced security