Back to browse
GitHub Repository
1 starsPython

Action-locker: pin, verify, and vendor GHAs

by sudosteph·Jul 7, 2026·3 points·1 comment

AI Analysis

●●SolidBig BrainSolve My Problem

Single stdlib-only Python file means the supply chain tool has no supply chain.

Strengths
  • Zero dependencies - entire tool is one readable Python file you can audit
  • Age-gating prevents locking to brand-new actions before bugs surface
  • Vendoring protects against repo deletion, not just tag retagging
Weaknesses
  • Action pinning already solved by Dependabot and other established tools
  • No mention of automatic PR updates when newer safe versions exist
Target Audience

DevOps engineers, security-conscious teams using GitHub Actions

Similar To

Dependabot · StepSecurity · pinact

Similar Projects