frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

Gh-actions-lockfile: generate and verify lockfiles for GitHub Actions

https://gh-actions-lockfile.net
21•gjtorikian•3d ago

Comments

tomeraberbach•1h ago
Mildly ironic that the quickstart suggests starting with an unpinned action

gjtorikian/gh-actions-lockfile@v1

Presumably since it has to run first it must run unpinned?

Elucalidavah•1h ago
Arguably, that's exactly the one action that will need to be hash-pinned, since all the consecutive actions will at least be verified against the lockfile.
Sytten•1h ago
I have been banging on that drum for like 2 years now, glad the community has figured a way around it. Still utterly ridiculous that this is not native.

They even closed the immutable action issue as a "wont fix" cause you know when it's too hard we all know the best way is to give up. Not like there wasany major security incident this year due to this /s

EatFlamingDeath•40m ago
I feel like at this point we should just abandon GitHub Actions altogether.
silverwind•1h ago
Pinning actions doesn't really work because most action dependencies are unpinned thanks to npm default behaviour of not pinning them.
hanspagel•30m ago
From what I see, this does not help with pinning the dependencies and it doesn’t verify the downloaded action has the same content as it used to have. In other words, this is a tiny patch on a big wound.

We use commit hashes to pin actions, have the version as a comment (e.g # v4) and renovate will keep both up to date in the PRs.

And there is a more or less recently added repository setting to require actions to be pinned to hashes.

NamlchakKhandro•6m ago
Why do you need this?

Just pin your actions to shasum

Charles Proxy

https://www.charlesproxy.com/
20•handfuloflight•42m ago•2 comments

CSS Grid Lanes

https://webkit.org/blog/17660/introducing-css-grid-lanes/
439•frizlab•8h ago•119 comments

Mistral OCR 3

https://mistral.ai/news/mistral-ocr-3
469•pember•1d ago•87 comments

Garage – An S3 object store so reliable you can run it outside datacenters

https://garagehq.deuxfleurs.fr/
531•ibobev•15h ago•114 comments

Carolina Cloud – One third the cost of AWS for data science workloads

https://carolinacloud.io/
73•bojangleslover•5d ago•30 comments

Fuzix on a Raspberry Pi Pico

https://ewpratten.com/blog/fuzix-pi-pico
31•ewpratten•5d ago•1 comments

Android introduces $2-4 install fee and 10–20% cut for US external content links

https://support.google.com/googleplay/android-developer/answer/16470497?hl=en
74•radley•1h ago•31 comments

Gh-actions-lockfile: generate and verify lockfiles for GitHub Actions

https://gh-actions-lockfile.net
21•gjtorikian•3d ago•7 comments

TP-Link Tapo C200: Hardcoded Keys, Buffer Overflows and Privacy

https://www.evilsocket.net/2025/12/18/TP-Link-Tapo-C200-Hardcoded-Keys-Buffer-Overflows-and-Priva...
257•sibellavia•12h ago•71 comments

A better zip bomb (2019)

https://www.bamsoftware.com/hacks/zipbomb/
117•kekqqq•9h ago•42 comments

Data Bank – Nuforc – Latest UFO Sightings

https://nuforc.org/databank/
4•handfuloflight•51m ago•0 comments

8-bit Boléro

https://linusakesson.net/music/bolero/index.php
215•Aissen•19h ago•37 comments

LLM Year in Review

https://karpathy.bearblog.dev/year-in-review-2025/
147•swyx•10h ago•36 comments

Graphite is joining Cursor

https://cursor.com/blog/graphite
211•fosterfriends•14h ago•222 comments

Build Your Own React

https://pomb.us/build-your-own-react/
62•howToTestFE•6h ago•5 comments

Brown/MIT shooting suspect found dead, officials say

https://www.washingtonpost.com/nation/2025/12/18/brown-university-shooting-person-of-interest/
134•anigbrowl•1d ago•166 comments

Rust's Block Pattern

https://notgull.net/block-pattern/
158•zdw•1d ago•76 comments

Qwen-Image-Layered: transparency and layer aware open diffusion model

https://huggingface.co/papers/2512.15603
91•dvrp•1d ago•16 comments

A tagging system for documentation review comments

https://blog.techdocs.studio/p/a-tagging-system-for-documentation-review-comments
6•dgarcia360•3d ago•0 comments

Show HN: TinyPDF – 3kb pdf library (70x smaller than jsPDF)

https://github.com/Lulzx/tinypdf
152•lulzx•1d ago•20 comments

Performance Hints (2023)

https://abseil.io/fast/hints.html
80•danlark1•13h ago•31 comments

The FreeBSD Foundation's Laptop Support and Usability Project

https://github.com/FreeBSDFoundation/proj-laptop
154•mikece•15h ago•56 comments

Believe the Checkbook

https://robertgreiner.com/believe-the-checkbook/
139•rg81•15h ago•60 comments

History LLMs: Models trained exclusively on pre-1913 texts

https://github.com/DGoettlich/history-llms
796•iamwil•1d ago•381 comments

Vm.overcommit_memory=2 is the right setting for servers

https://ariadne.space/2025/12/16/vmovercommitmemory-is-always-the-right.html
71•signa11•2d ago•109 comments

The scariest boot loader code

http://miod.online.fr/software/openbsd/stories/boot_hppa.html
49•todsacerdoti•10h ago•4 comments

Amazon will allow ePub and PDF downloads for DRM-free eBooks

https://www.kdpcommunity.com/s/article/New-eBook-Download-Options-for-Readers-Coming-in-2026?lang...
575•captn3m0•20h ago•286 comments

The pitfalls of partitioning Postgres yourself

https://hatchet.run/blog/postgres-partitioning
65•abelanger•3d ago•5 comments

GotaTun – Mullvad's WireGuard Implementation in Rust

https://mullvad.net/en/blog/announcing-gotatun-the-future-of-wireguard-at-mullvad-vpn
564•km•19h ago•121 comments

Reverse Engineering US Airline's PNR System and Accessing All Reservations

https://alexschapiro.com/security/vulnerability/2025/11/20/avelo-airline-reservation-api-vulnerab...
104•bearsyankees•12h ago•52 comments