Pin Actions to SHAs
gh-actions-lockfile generates a lockfile that pins actions — including transitive dependencies — to exact commit SHAs with integrity hashes, enabling verification and auditability via a GitHub Action or CLI.
Your CI can change without you noticing. Pin every GitHub Action to a commit SHA and stop silent supply‑chain drift.
gh-actions-lockfile generates a lockfile that pins actions — including transitive dependencies — to exact commit SHAs with integrity hashes, enabling verification and auditability via a GitHub Action or CLI.
Source: gh-actions-lockfile (GitHub) — Source link
Highlights
| Metric | Value | Notes |
|---|---|---|
| No native lockfile | GitHub Actions has no built-in mechanism to lock dependency versions. | |
| Mutable tags risk | Version tags like @v4 can be silently retagged to point to different code. | |
| Hidden transitive deps | Composite actions pull in transitive dependencies you can't see or audit. | |
| Lockfile solution | Creates a lockfile that pins every action (including transitive dependencies) to exact commit SHAs with integrity hashes. | |
| Lockfile structure | Records fields such as version, generated timestamp, actions mapping, sha, integrity, and dependencies. | |
| Run modes | Runs as a GitHub Action (recommended) or CLI; supports generate, verify and list commands. |
Key points
- Problem: no native lockfile, mutable tags, and hidden transitive dependencies create supply‑chain risk for GitHub Actions.
- Solution: gh-actions-lockfile pins actions to exact commit SHAs and records Subresource Integrity (SRI) hashes for verification.
- The tool resolves transitive dependencies from composite actions so every referenced action can be audited and locked.
- Recommended usage: run as a GitHub Action with mode: verify or mode: generate; CLI options: generate, verify, list.
- Lockfile example includes a version number, a generated timestamp, and an actions map with sha, integrity, and dependencies fields.
- Features: visualizes the action dependency tree and verifies workflows match the lockfile.
- Open source under AGPL-3.0 and requires only Node.js (zero additional runtime dependencies).
Why this matters
Locking actions prevents silent supply‑chain changes, makes workflows reproducible and auditable, and reduces the risk of compromised or retagged action code — improving security, compliance, and operational reliability.
