Gh-actions-lockfile: generate and verify lockfiles for GitHub Actions
4 days ago
- #Dependency Management
- #GitHub Actions
- #Security
- GitHub Actions lacks a native lockfile mechanism, leading to potential issues with mutable tags and hidden dependencies.
- gh-actions-lockfile provides a solution by generating a lockfile that pins all actions to exact commit SHAs with integrity hashes.
- The lockfile includes version, SHA, integrity hash, and tracks transitive dependencies for comprehensive auditing.
- Can be used as a GitHub Action or CLI tool with modes for generate, verify, and list dependency trees.
- Features include pinning exact commit SHAs, integrity verification, resolving transitive dependencies, and visualizing dependency trees.