I know there are a few solutions out there to the "GHA doesn't have a lockfile" problem that we all know and love.
This is the one that I created to use internally at Old Well Labs. It makes using the `Require actions to be pinned to a full-length commit SHA` setting way less painful for us. Unlike most other options, it also supports vendoring actions within the repo (that's why it's called action-locker, like a locker). So if an upstream repo totally leaves github, you won't be high and dry.
It's open source, has extremely limited dependencies, lets you age-gate ghas (ex: don't deploy ones that are newer than x days old) and works with pre-commit hooks ( there's a demo repo showing this - steph-owl/action-locker-demo )
sudosteph•1h ago
I know there are a few solutions out there to the "GHA doesn't have a lockfile" problem that we all know and love.
This is the one that I created to use internally at Old Well Labs. It makes using the `Require actions to be pinned to a full-length commit SHA` setting way less painful for us. Unlike most other options, it also supports vendoring actions within the repo (that's why it's called action-locker, like a locker). So if an upstream repo totally leaves github, you won't be high and dry.
It's open source, has extremely limited dependencies, lets you age-gate ghas (ex: don't deploy ones that are newer than x days old) and works with pre-commit hooks ( there's a demo repo showing this - steph-owl/action-locker-demo )