They even closed the immutable action issue as a "wont fix" cause you know when it's too hard we all know the best way is to give up. Not like there wasany major security incident this year due to this /s
JavaScript actions are already bundled.
We use commit hashes to pin actions, have the version as a comment (e.g # v4) and renovate will keep both up to date in the PRs.
And there is a more or less recently added repository setting to require actions to be pinned to hashes.
Pin by hash.
Verify that the actions themselves aren't pulling in unpinned dependencies from Actions, NPM, or elsewhere.
Have a CI job or bot create PRs for new versions. Verify those PRs before merging.
If any particular action becomes a recurring chore or risk, consider if you should keep depending on it.
If you do these things, the "we need a package manager" is moot and most if not all of the concerns in that blog post don't affect you.
I believe this problem is probably overstated. Can you point us to such an action you are concerned with that has either transitive actions dependency or unlocked npm dependencies where maintainers aren't responsive to addressing PRs to illustrate?
Just pin your actions to shasum
This is a long solved problem in every other ecosystem. This particular implementation isn't great but it has the right idea.
Depending on the action you use, this is no small task. You might as well just switch to something else altogether.
For reference, I come from a Gitlab CI background and all I want is to specify a container, and the CI system should clone my repo in it and run some tests; perhaps optionally allow me to write stuff in a text file that can be displayed on the pull request or the commit (although Gitlab CI doesn't do that AFAIK). Is there something I'm missing due to which GHA architecture is so complicated?
Other CI platforms have plugins, but the “plugins” in GitHub really get used as the core primitive of the system, which is part of what makes it so simple & easy to use… for really basic workflows. You just hook up a couple actions like this and you’re good to go, no shell scripting required. (Though you can totally do that too.)
I mean at the end of the day, it’s a big part of the value proposition, even if I prefer a much more bare metal approach. GHA is really not great at massive CI workloads.
..and in the next update cycle, you will see all actions be pinned like this:
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
Fully pinning action references themselves is a step in the right direction, but the ecosystem as a whole probably has expectations that are misaligned with reproducibility/hermeticity, and those expectations will be challenging to overcome.
tomeraberbach•1mo ago
gjtorikian/gh-actions-lockfile@v1
Presumably since it has to run first it must run unpinned?
Elucalidavah•1mo ago
tomeraberbach•1mo ago