Generate and verify lockfiles for GitHub Actions dependencies.
Pin all actions to exact commit SHAs with integrity hashes.
The Problem
GitHub Actions has no built-in mechanism to lock dependency versions.
Version tags like @v4 can be silently retagged to point to different code.
Composite actions pull in transitive dependencies you can't see or audit.
The Solution
gh-actions-lockfile creates a lockfile that pins every action (including transitive dependencies) to exact commit SHAs with integrity hashes.
Quick Start
As a GitHub Action (recommended)
Features
- Pins actions to exact commit SHAs
- Includes integrity hashes for verification
- Resolves transitive dependencies from composite actions
- Visualizes your action dependency tree
- Runs as a GitHub Action or CLI tool
- Zero runtime dependencies beyond Node.js
Secure your workflows today
gh-actions-lockfile is open source under the AGPL-3.0 license.