GitHub Actions Has a Package Manager, and It Might Be the Worst
5 days ago
- #Package Management
- #GitHub Actions
- #Security
- GitHub Actions lacks critical security features found in mature package managers like lockfiles, integrity hashes, and dependency tree visibility.
- Research shows high risks: 99.7% of repositories use externally developed Actions, 97% from unverified creators, and 18% with missing security updates.
- Mutable versions and invisible transitive dependencies make workflows vulnerable to silent changes and attacks.
- No integrity verification or reproducible re-runs, leading to potential non-deterministic behavior.
- Undocumented resolution semantics and no registry increase security risks.
- GitHub's design flaws spread to alternatives like Forgejo Actions, despite known issues.
- Solutions like lockfiles, integrity hashes, and better dependency visibility are not implemented, despite community requests.