Lock down your GitHub Actions

Generate and verify lockfiles for GitHub Actions dependencies.
Pin all actions to exact commit SHAs with integrity hashes.

The Problem

No Native Lockfile
GitHub Actions has no built-in mechanism to lock dependency versions.
Mutable Tags
Version tags like @v4 can be silently retagged to point to different code.
Hidden Dependencies
Composite actions pull in transitive dependencies you can't see or audit.

The Solution

gh-actions-lockfile creates a lockfile that pins every action (including transitive dependencies) to exact commit SHAs with integrity hashes. 

{
  "version": 1,
  "generated": "2025-12-15T20:37:39.422Z",
  "actions": {
    "actions/checkout": [
      {
        "version": "v4",
        // This is the Git commit SHA (the 40-character hex hash).
        // It identifies the exact commit in the action's repository that will be checked out.
        // It answers: "which version of the code should I fetch?"
        "sha": "11bd71901bbe5b1630ceea73d27597364c9af683",
        // This is a Subresource Integrity (SRI) hash of the action's content (using SHA-256).
        // It answers: "is the content I fetched what I expected?"
        "integrity": "sha256-abc123...",
        // This tracks transitive dependencies — other GitHub Actions that a composite action uses internally.
        "dependencies": []
      }
    ]
  }
}

Quick Start

As a GitHub Action (recommended)
- uses: gjtorikian/gh-actions-lockfile@v1
  with:
    mode: verify # or 'generate'
Via the CLI
# Generate a lockfile
node dist/cli.js generate

# Verify workflows match
node dist/cli.js verify

# Show dependency tree
node dist/cli.js list

Features

  • Pins actions to exact commit SHAs
  • Includes integrity hashes for verification
  • Resolves transitive dependencies from composite actions
  • Visualizes your action dependency tree
  • Runs as a GitHub Action or CLI tool
  • Zero runtime dependencies beyond Node.js

Secure your workflows today