Shunsuke Suzuki
@seli07.bsky.social
Software Engineer (Platform Engineer)
OSS Developer
https://github.com/suzuki-shunsuke
https://twitter.com/szkdash
OSS Developer
https://github.com/suzuki-shunsuke
https://twitter.com/szkdash
ghtkn was featured in DevOps "Office Hours" (2025-09-17) 🎉
www.youtube.com/watch?v=jCgK...
www.youtube.com/watch?v=jCgK...
DevOps "Office Hours" (2025-09-17)
YouTube video by Cloud Posse
www.youtube.com
September 18, 2025 at 11:59 AM
ghtkn was featured in DevOps "Office Hours" (2025-09-17) 🎉
www.youtube.com/watch?v=jCgK...
www.youtube.com/watch?v=jCgK...
My new OSS project, ghtkn, is out!
It’s a CLI tool for creating user access tokens for a GitHub App via Device Flow, designed for secure local development.
No more relying on long-lived access tokens.
github.com/suzuki-shuns...
It’s a CLI tool for creating user access tokens for a GitHub App via Device Flow, designed for secure local development.
No more relying on long-lived access tokens.
github.com/suzuki-shuns...
GitHub - suzuki-shunsuke/ghtkn: A CLI to create GitHub App User Access Token for secure local development
A CLI to create GitHub App User Access Token for secure local development - suzuki-shunsuke/ghtkn
github.com
September 14, 2025 at 12:01 AM
My new OSS project, ghtkn, is out!
It’s a CLI tool for creating user access tokens for a GitHub App via Device Flow, designed for secure local development.
No more relying on long-lived access tokens.
github.com/suzuki-shuns...
It’s a CLI tool for creating user access tokens for a GitHub App via Device Flow, designed for secure local development.
No more relying on long-lived access tokens.
github.com/suzuki-shuns...
Introducing ghtkn — Your Safer GitHub Token Solution
dev.to/suzukishunsu...
dev.to/suzukishunsu...
Introducing ghtkn — Your Safer GitHub Token Solution
Are you still relying on long-lived GitHub tokens—like Personal Access Tokens (PATs) or OAuth tokens...
dev.to
September 13, 2025 at 11:59 PM
Introducing ghtkn — Your Safer GitHub Token Solution
dev.to/suzukishunsu...
dev.to/suzukishunsu...
google/wire was archived.
github.com/google/wire
github.com/google/wire
GitHub - google/wire: Compile-time Dependency Injection for Go
Compile-time Dependency Injection for Go. Contribute to google/wire development by creating an account on GitHub.
github.com
August 13, 2025 at 4:06 AM
google/wire was archived.
github.com/google/wire
github.com/google/wire
pinact v3.4.1 is out 🎉
Fix the confusing error message `action isn't pinned` when it fails to handle a line due to GitHub API error.
github.com/suzuki-shuns...
Fix the confusing error message `action isn't pinned` when it fails to handle a line due to GitHub API error.
github.com/suzuki-shuns...
Release v3.4.1 · suzuki-shunsuke/pinact
Pull Requests | Issues | v3.4.0...v3.4.1
🐛 Bug Fixes
#1083 Fix the error message if it fails to handle a line
github.com
August 13, 2025 at 12:06 AM
pinact v3.4.1 is out 🎉
Fix the confusing error message `action isn't pinned` when it fails to handle a line due to GitHub API error.
github.com/suzuki-shuns...
Fix the confusing error message `action isn't pinned` when it fails to handle a line due to GitHub API error.
github.com/suzuki-shuns...
pinact v3.4.0 is out 🎉
You can now fix or exclude only specific actions by regular expression using command line options.
github.com/suzuki-shuns...
You can now fix or exclude only specific actions by regular expression using command line options.
github.com/suzuki-shuns...
Release v3.4.0 · suzuki-shunsuke/pinact
Pull Requests | Issues | v3.3.2...v3.4.0
Features
#1082 Support fixing or excluding only specific actions
You can now fix only specific actions using the -include (-i) <regular expression> option.
...
github.com
August 12, 2025 at 11:16 PM
pinact v3.4.0 is out 🎉
You can now fix or exclude only specific actions by regular expression using command line options.
github.com/suzuki-shuns...
You can now fix or exclude only specific actions by regular expression using command line options.
github.com/suzuki-shuns...
tfaction v1.18.0 🎉
Now tfaction can create commits and pull requests using Securefix Action.
It improves the security of your Terraform workflows.
github.com/suzuki-shuns...
Now tfaction can create commits and pull requests using Securefix Action.
It improves the security of your Terraform workflows.
github.com/suzuki-shuns...
Release v1.18.0 · suzuki-shunsuke/tfaction
Issues | Pull Requests | v1.17.0...v1.18.0 | Base revision
Features
#2777 #2780 #2785 #2789 #2792 #2793 #2794 #2796 #2833 #2838 Support creating commits and pull requests by Securefix Action
You ca...
github.com
July 23, 2025 at 11:28 PM
tfaction v1.18.0 🎉
Now tfaction can create commits and pull requests using Securefix Action.
It improves the security of your Terraform workflows.
github.com/suzuki-shuns...
Now tfaction can create commits and pull requests using Securefix Action.
It improves the security of your Terraform workflows.
github.com/suzuki-shuns...
Securefix Action v0.2.0 🎉
You can now change the repository and branch where a commit is pushed.
You can also create pull requests.
You can replace insecure commit and pr generation with Securefix Action, elevating the security to the next level.
github.com/csm-actions/...
You can now change the repository and branch where a commit is pushed.
You can also create pull requests.
You can replace insecure commit and pr generation with Securefix Action, elevating the security to the next level.
github.com/csm-actions/...
Release v0.2.0 · csm-actions/securefix-action
Issues | Pull Requests | v0.1.0...v0.2.0 | Base revision
Overview
Breaking Changes
#164 The process label deletion was moved from the client side to the server side
Features
#123 Support pushi...
github.com
July 23, 2025 at 11:28 PM
Securefix Action v0.2.0 🎉
You can now change the repository and branch where a commit is pushed.
You can also create pull requests.
You can replace insecure commit and pr generation with Securefix Action, elevating the security to the next level.
github.com/csm-actions/...
You can now change the repository and branch where a commit is pushed.
You can also create pull requests.
You can replace insecure commit and pr generation with Securefix Action, elevating the security to the next level.
github.com/csm-actions/...
validate-pr-review-action v0.0.8 🎉
Supported `merge_group` event without any settings.
github.com/suzuki-shuns...
Supported `merge_group` event without any settings.
github.com/suzuki-shuns...
Release v0.0.8 · suzuki-shunsuke/validate-pr-review-action
Issues | Pull Requests | v0.0.7...v0.0.8 | Base revision
Features
#182 Support merge_group event by default
github.com
July 23, 2025 at 11:27 PM
validate-pr-review-action v0.0.8 🎉
Supported `merge_group` event without any settings.
github.com/suzuki-shuns...
Supported `merge_group` event without any settings.
github.com/suzuki-shuns...
Reposted by Shunsuke Suzuki
🍻 tfmv 🍻
CLI to rename Terraform resources and generate moved blocks
🔗 https://github.com/suzuki-shunsuke/tfmv
#homebrew #newpkg #macos #linux #formula
CLI to rename Terraform resources and generate moved blocks
🔗 https://github.com/suzuki-shunsuke/tfmv
#homebrew #newpkg #macos #linux #formula
May 16, 2025 at 12:48 PM
🍻 tfmv 🍻
CLI to rename Terraform resources and generate moved blocks
🔗 https://github.com/suzuki-shunsuke/tfmv
#homebrew #newpkg #macos #linux #formula
CLI to rename Terraform resources and generate moved blocks
🔗 https://github.com/suzuki-shunsuke/tfmv
#homebrew #newpkg #macos #linux #formula
Reposted by Shunsuke Suzuki
🍻 ghalint 🍻
GitHub Actions linter
🔗 https://github.com/suzuki-shunsuke/ghalint
#homebrew #newpkg #macos #linux #formula
GitHub Actions linter
🔗 https://github.com/suzuki-shunsuke/ghalint
#homebrew #newpkg #macos #linux #formula
June 29, 2025 at 12:47 PM
🍻 ghalint 🍻
GitHub Actions linter
🔗 https://github.com/suzuki-shunsuke/ghalint
#homebrew #newpkg #macos #linux #formula
GitHub Actions linter
🔗 https://github.com/suzuki-shunsuke/ghalint
#homebrew #newpkg #macos #linux #formula
Reposted by Shunsuke Suzuki
TIL: Aqua CLI Version Manager
www.ianlewis.org/til/2025/04/...
www.ianlewis.org/til/2025/04/...
TIL: Aqua CLI Version Manager
When I worked on the SLSA project I came across the Aqua CLI version manager. It’s a pretty cool tool that acts sort of like a package manager for CLI binaries.
www.ianlewis.org
April 2, 2025 at 9:11 AM
TIL: Aqua CLI Version Manager
www.ianlewis.org/til/2025/04/...
www.ianlewis.org/til/2025/04/...
🍻 You can now install tfcmt using the official Homebrew Formula 🍻
🍻 tfcmt 🍻
Notify the execution result of terraform command
🔗 https://suzuki-shunsuke.github.io/tfcmt/
#homebrew #newpkg #macos #linux #formula
Notify the execution result of terraform command
🔗 https://suzuki-shunsuke.github.io/tfcmt/
#homebrew #newpkg #macos #linux #formula
May 12, 2025 at 9:48 AM
🍻 You can now install tfcmt using the official Homebrew Formula 🍻
I've released a new GitHub Action to validate pull request reviews.
It enforces the requirement for reviews and prevents pull requests from being merged without proper review.
github.com/suzuki-shuns...
It enforces the requirement for reviews and prevents pull requests from being merged without proper review.
github.com/suzuki-shuns...
GitHub - suzuki-shunsuke/validate-pr-review-action: GitHub Action to validate pull request reviews
GitHub Action to validate pull request reviews. Contribute to suzuki-shunsuke/validate-pr-review-action development by creating an account on GitHub.
github.com
May 11, 2025 at 8:45 PM
I've released a new GitHub Action to validate pull request reviews.
It enforces the requirement for reviews and prevents pull requests from being merged without proper review.
github.com/suzuki-shuns...
It enforces the requirement for reviews and prevents pull requests from being merged without proper review.
github.com/suzuki-shuns...
aqua v2.51.1 is out 🎉
You can now manage a GitHub Access token using secret store such as Windows Credential Manager, macOS Keychain, and GNOME Keyring.
github.com/aquaproj/aqu...
You can now manage a GitHub Access token using secret store such as Windows Credential Manager, macOS Keychain, and GNOME Keyring.
github.com/aquaproj/aqu...
Release v2.51.1 · aquaproj/aqua
Pull Requests | Issues | v2.51.0...v2.51.1
Features
#3852 #3853 Support managing a GitHub access token using Keyring
You can now manage a GitHub Access token using secret store such as Windows Cred...
github.com
May 6, 2025 at 9:33 AM
aqua v2.51.1 is out 🎉
You can now manage a GitHub Access token using secret store such as Windows Credential Manager, macOS Keychain, and GNOME Keyring.
github.com/aquaproj/aqu...
You can now manage a GitHub Access token using secret store such as Windows Credential Manager, macOS Keychain, and GNOME Keyring.
github.com/aquaproj/aqu...
I wrote the document about the Client/Server Model to make GitHub Actions secure.
You can protect server workflows with strong permissions and credentials by separating them from client workflows.
For details, please see the document.
github.com/csm-actions/...
You can protect server workflows with strong permissions and credentials by separating them from client workflows.
For details, please see the document.
github.com/csm-actions/...
GitHub - csm-actions/docs: Client / Server Model document
Client / Server Model document. Contribute to csm-actions/docs development by creating an account on GitHub.
github.com
May 5, 2025 at 8:23 AM
I wrote the document about the Client/Server Model to make GitHub Actions secure.
You can protect server workflows with strong permissions and credentials by separating them from client workflows.
For details, please see the document.
github.com/csm-actions/...
You can protect server workflows with strong permissions and credentials by separating them from client workflows.
For details, please see the document.
github.com/csm-actions/...
Reposted by Shunsuke Suzuki
pinact solves the problem of malware inside GitHub actions (already happening in practice).
It automatically pins actions to a specific commit (since regular version tags can be re-released) and updates them later.
It’s like a lockfile, but for CI.
github.com/suzuki-shuns...
It automatically pins actions to a specific commit (since regular version tags can be re-released) and updates them later.
It’s like a lockfile, but for CI.
github.com/suzuki-shuns...
April 5, 2025 at 3:44 PM
pinact solves the problem of malware inside GitHub actions (already happening in practice).
It automatically pins actions to a specific commit (since regular version tags can be re-released) and updates them later.
It’s like a lockfile, but for CI.
github.com/suzuki-shuns...
It automatically pins actions to a specific commit (since regular version tags can be re-released) and updates them later.
It’s like a lockfile, but for CI.
github.com/suzuki-shuns...
pinact v3 is out 🎉
There are several breaking changes.
These changes make pinact securer by default.
For more details, please check the release note out.
github.com/suzuki-shuns...
There are several breaking changes.
These changes make pinact securer by default.
For more details, please check the release note out.
github.com/suzuki-shuns...
Release v3.0.0 · suzuki-shunsuke/pinact
Pull Requests | Issues | v2.2.1...v3.0.0
⚠ Breaking Changes
NoteIf you don't use pinact configuration file .pinact.yaml, you don't need to do anything.
#855 Change the default schema version to 3 ...
github.com
April 1, 2025 at 12:10 AM
pinact v3 is out 🎉
There are several breaking changes.
These changes make pinact securer by default.
For more details, please check the release note out.
github.com/suzuki-shuns...
There are several breaking changes.
These changes make pinact securer by default.
For more details, please check the release note out.
github.com/suzuki-shuns...
Do you pin GitHub Actions versions to full length commit hash?
If so, how about verifying checksums when downloading assets from GitHub Releases or somewhere?
You can verify checksums and update checksums easily using aqua.
aquaproj.github.io/docs/guides/...
If so, how about verifying checksums when downloading assets from GitHub Releases or somewhere?
You can verify checksums and update checksums easily using aqua.
aquaproj.github.io/docs/guides/...
Enable Checksum Verification | aqua
About Checksum Verification, please see also.
aquaproj.github.io
April 1, 2025 at 12:08 AM
Do you pin GitHub Actions versions to full length commit hash?
If so, how about verifying checksums when downloading assets from GitHub Releases or somewhere?
You can verify checksums and update checksums easily using aqua.
aquaproj.github.io/docs/guides/...
If so, how about verifying checksums when downloading assets from GitHub Releases or somewhere?
You can verify checksums and update checksums easily using aqua.
aquaproj.github.io/docs/guides/...
cmdx v2.0.0 is out 🎉
- The default shell is changed from sh to `bash -euo pipefail`. If bash isn't available, sh is used.
- The format of pre-built binaries for Windows is changed from tar.gz to zip
github.com/suzuki-shuns...
- The default shell is changed from sh to `bash -euo pipefail`. If bash isn't available, sh is used.
- The format of pre-built binaries for Windows is changed from tar.gz to zip
github.com/suzuki-shuns...
Release v2.0.0 · suzuki-shunsuke/cmdx
Pull Requests | Issues | v1.7.7...v2.0.0
⚠️ Breaking Changes
The default shell is changed from sh to bash -euo pipefail. If bash isn't available, sh is used.
The format of pre-built binaries for W...
github.com
April 1, 2025 at 12:04 AM
cmdx v2.0.0 is out 🎉
- The default shell is changed from sh to `bash -euo pipefail`. If bash isn't available, sh is used.
- The format of pre-built binaries for Windows is changed from tar.gz to zip
github.com/suzuki-shuns...
- The default shell is changed from sh to `bash -euo pipefail`. If bash isn't available, sh is used.
- The format of pre-built binaries for Windows is changed from tar.gz to zip
github.com/suzuki-shuns...
actions/create-github-app-token has supported custom permissions 🎉
github.com/actions/crea...
github.com/actions/crea...
github.com/actions/crea...
github.com/actions/crea...
Support custom permissions · Issue #3 · actions/create-github-app-token
follow up to: 2d5eced Our idea is to add separate permission_* parameters for each permission supported by GitHub Apps: https://docs.github.com/en/rest/overview/permissions-required-for-github-apps...
github.com
March 27, 2025 at 9:12 PM
actions/create-github-app-token has supported custom permissions 🎉
github.com/actions/crea...
github.com/actions/crea...
github.com/actions/crea...
github.com/actions/crea...
The number of stars for pinact increased by about 90 due to the tj-actions incident. 💫
March 18, 2025 at 10:15 PM
The number of stars for pinact increased by about 90 due to the tj-actions incident. 💫
This post introduces how to pin GitHub Action versions across all repositories in your organization.
Pin GitHub Actions to a full length commit SHA for Security
dev.to/suzukishunsu...
Pin GitHub Actions to a full length commit SHA for Security
dev.to/suzukishunsu...
Pin GitHub Actions to a full length commit SHA for Security
Last weekend, the popular GitHub Action tj-actions/changed-files was...
dev.to
March 17, 2025 at 12:17 PM
This post introduces how to pin GitHub Action versions across all repositories in your organization.
Pin GitHub Actions to a full length commit SHA for Security
dev.to/suzukishunsu...
Pin GitHub Actions to a full length commit SHA for Security
dev.to/suzukishunsu...
The popular GitHub Action tj-actions/changed-files was compromised.
To avoid this kind of threats, pinning action versions by full commit hash is recommended.
You can do it using pinact, which is a CLI to pin GitHub Actions by one command.
github.com/suzuki-shuns...
To avoid this kind of threats, pinning action versions by full commit hash is recommended.
You can do it using pinact, which is a CLI to pin GitHub Actions by one command.
github.com/suzuki-shuns...
GitHub - suzuki-shunsuke/pinact: pinact is a CLI to edit GitHub Workflow and Composite action files and pin versions of Actions and Reusable Workflows. pinact can also update their versions and verify...
pinact is a CLI to edit GitHub Workflow and Composite action files and pin versions of Actions and Reusable Workflows. pinact can also update their versions and verify version annotations. - suzuki...
github.com
March 15, 2025 at 11:26 AM
The popular GitHub Action tj-actions/changed-files was compromised.
To avoid this kind of threats, pinning action versions by full commit hash is recommended.
You can do it using pinact, which is a CLI to pin GitHub Actions by one command.
github.com/suzuki-shuns...
To avoid this kind of threats, pinning action versions by full commit hash is recommended.
You can do it using pinact, which is a CLI to pin GitHub Actions by one command.
github.com/suzuki-shuns...
🎉 I'm really glad to announce my new OSS project.
Securefix Action is GitHub Actions to fix code securely.
It elevates the security of your workflows to the next level.
It allows you to fix code without sharing a secret having strong permissions with workflows widely.
github.com/securefix-ac...
Securefix Action is GitHub Actions to fix code securely.
It elevates the security of your workflows to the next level.
It allows you to fix code without sharing a secret having strong permissions with workflows widely.
github.com/securefix-ac...
GitHub - securefix-action/action: GitHub Action to fix code securely
GitHub Action to fix code securely. Contribute to securefix-action/action development by creating an account on GitHub.
github.com
March 14, 2025 at 12:37 AM
🎉 I'm really glad to announce my new OSS project.
Securefix Action is GitHub Actions to fix code securely.
It elevates the security of your workflows to the next level.
It allows you to fix code without sharing a secret having strong permissions with workflows widely.
github.com/securefix-ac...
Securefix Action is GitHub Actions to fix code securely.
It elevates the security of your workflows to the next level.
It allows you to fix code without sharing a secret having strong permissions with workflows widely.
github.com/securefix-ac...