Gh-actions-lockfile: generate and verify lockfiles for GitHub Actions(gh-actions-lockfile.net)
31 points by gjtorikian 3 days ago | 7 comments
supriyo-biswas 38 minutes ago
TBH this discussion and the need for a lockfile for your CI makes me dizzy, is there something I'm missing wrt GHA that makes it awesome enough to be worth these tradeoffs?

For reference, I come from a Gitlab CI background and all I want is to specify a container, and the CI system should clone my repo in it and run some tests; perhaps optionally allow me to write stuff in a text file that can be displayed on the pull request or the commit (although Gitlab CI doesn't do that AFAIK). Is there something I'm missing due to which GHA architecture is so complicated?

larusso 5 minutes ago
Maybe the few dozen developers not working on something that can be build with Linux only?
tomeraberbach 3 hours ago
Mildly ironic that the quickstart suggests starting with an unpinned action

gjtorikian/gh-actions-lockfile@v1

Presumably since it has to run first it must run unpinned?

Elucalidavah 3 hours ago
Arguably, that's exactly the one action that will need to be hash-pinned, since all the consecutive actions will at least be verified against the lockfile.
hanspagel 2 hours ago
From what I see, this does not help with pinning the dependencies and it doesn’t verify the downloaded action has the same content as it used to have. In other words, this is a tiny patch on a big wound.

We use commit hashes to pin actions, have the version as a comment (e.g # v4) and renovate will keep both up to date in the PRs.

And there is a more or less recently added repository setting to require actions to be pinned to hashes.

baobun 27 minutes ago
This is the way to do it.

Pin by hash.

Verify that the actions themselves aren't pulling in unpinned dependencies from Actions, NPM, or elsewhere.

Have a CI job or bot create PRs for new versions. Verify those PRs before merging.

If any particular action becomes a recurring chore or risk, consider if you should keep depending on it.

If you do these things, the "we need a package manager" is moot and most if not all of the concerns in that blog post don't affect you.

silverwind 2 hours ago
Pinning actions doesn't really work because most action dependencies are unpinned thanks to npm default behaviour of not pinning them.
baobun 17 minutes ago
Just don't use actions which pull in arbitrary npm packages without a lockfile.
NamlchakKhandro 1 hour ago
Why do you need this?

Just pin your actions to shasum

progbits 1 hour ago
If that action itself has unpinned dependencies that doesn't accomplish much.
baobun 18 minutes ago
Don't use such actions. Or fork them and commit add the lockfile yourself, if you're cool with the implied maintenance.
oldmancode 3 hours ago
https://github.com/suzuki-shunsuke/pinact works great
Sytten 3 hours ago
I have been banging on that drum for like 2 years now, glad the community has figured a way around it. Still utterly ridiculous that this is not native.

They even closed the immutable action issue as a "wont fix" cause you know when it's too hard we all know the best way is to give up. Not like there wasany major security incident this year due to this /s

EatFlamingDeath 2 hours ago
I feel like at this point we should just abandon GitHub Actions altogether.