Skip to content

wakeful/lock

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
src
src
 
 
tools
tools
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
Readme.md
Readme.md
 
 
go.mod
go.mod
 
 

Repository files navigation

Lock

Lock is a lightweight CLI that pins your GitHub Actions to specific commit SHAs. It automatically updates workflows while keeping them locked to trusted versions for security and reproducibility.

Lock scans your workflow files, resolves every uses: reference through the GitHub API, and rewrites it in place:

# before
- uses: actions/checkout@v6.0.2

# after
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

The original tag is preserved as an inline comment so you can still see which version you're on at a glance.

Installation

From source

Requires Rust (edition 2024).

cargo install --path .

Build a release binary

cargo build --release
# binary is at target/release/lock

Quick start

# Dry-run: see what lock would pin
lock pin

# Pin all actions and write changes to disk
lock pin --write

# Update actions to their latest patch/minor release, then pin
lock update --write

Authentication

Lock talks to the GitHub API. Unauthenticated requests are subject to strict rate limits (60 requests/hour). Set a GITHUB_TOKEN environment variable to raise that limit:

A fine-grained personal access token with no extra permissions (public repo metadata is all that's needed) works fine.

About

A lightweight CLI to safely update and pin GitHub Actions to exact commit SHAs.

Topics

security dependencies pinning github-actions supply-chain-security

Resources

Readme

License

BSD-3-Clause license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Contributors

Languages