Lock is a lightweight CLI that pins your GitHub Actions to specific commit SHAs. It automatically updates workflows while keeping them locked to trusted versions for security and reproducibility.
Lock scans your workflow files, resolves every uses: reference through the
GitHub API, and rewrites it in place:
# before
- uses: actions/checkout@v6.0.2
# after
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
The original tag is preserved as an inline comment so you can still see which version you're on at a glance.
Requires Rust (edition 2024).
cargo install --path .
cargo build --release
# binary is at target/release/lock
# Dry-run: see what lock would pin
lock pin
# Pin all actions and write changes to disk
lock pin --write
# Update actions to their latest patch/minor release, then pin
lock update --write
Lock talks to the GitHub API. Unauthenticated requests are subject to strict
rate limits (60 requests/hour). Set a GITHUB_TOKEN environment variable to
raise that limit:
A fine-grained personal access token with no extra permissions (public repo metadata is all that's needed) works fine.