explaingit

sxzz/actionspack

Analysis updated 2026-06-24

22TypeScriptAudience · ops devopsComplexity · 3/5LicenseSetup · moderate

TLDR

Build tool that resolves GitHub Actions workflow dependencies, pins everything to exact SHAs in a lockfile, and inlines composite actions and reusable workflows into reproducible generated workflow files.

Mindmap

mindmap
  root((actionspack))
    Inputs
      Source workflows
      Remote actions
      actionspack.yml
    Outputs
      Pinned workflow files
      workflow.lock.yml
      Inlined composite jobs
    Use Cases
      Pin floating tag refs
      Reproducible CI builds
      Audit workflow changes in git diff
    Tech Stack
      TypeScript
      Node.js
    Commands
      pack
      update
      verify
      tree
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Pin every third party GitHub Action your workflows use to a fixed commit SHA

USE CASE 2

Inline a composite action so the actual steps show up in pull request diffs

USE CASE 3

Bump all third party action versions with actionspack update and review the lockfile change

USE CASE 4

Run actionspack verify in CI to block unpinned remote references from landing

What is it built with?

TypeScriptNode.jsGitHub ActionsYAML

How does it compare?

sxzz/actionspackaerdelan/housand-domaintoolmatrixalibaba/webmcp-nexus
Stars222222
LanguageTypeScriptTypeScriptTypeScript
Setup difficultymoderateeasymoderate
Complexity3/52/53/5
Audienceops devopsdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Existing workflow files need to be moved into .github/workflows/src/ and the generated outputs should be marked read only so they are never hand edited.

MIT license, free to use, modify, and ship with attribution.

In plain English

actionspack is a build tool for GitHub Actions workflows. The problem it tackles is that workflows often depend on reusable workflows and actions from other repositories, and people usually reference them with floating tags like @main. That is convenient while writing the workflow, but it makes the file unreviewable and not reproducible: today's @main may not be the same code that ran yesterday. The approach is borrowed from package managers like pnpm. You author your workflows under a new folder.github/workflows/src/, and run actionspack. The tool resolves every remote dependency, records the exact SHA for each one in a lockfile called .github/workflow.lock.yml, and writes pinned workflow files into the normal .github/workflows/ folder. The generated files and the lockfile both get committed, so any change shows up in git diff. To update a dependency you run actionspack update, which refreshes SHAs in the lockfile and rewrites the generated workflows. What happens to a dependency depends on its kind. Composite actions are recursively inlined into the generated workflow, with input values substituted from the caller's with block or from action defaults. Reusable workflows are inlined when they use workflow_call and can be turned into local jobs without changing behavior. JavaScript actions, Docker actions, and docker:// references are not bundled, they stay as remote references but are pinned to a fixed SHA from the lockfile. Anything that cannot be transformed safely fails the build outright. The CLI has a small set of commands. pack is the default and does a full resolve plus rewrite. scan only updates the shape of the lockfile graph. update refreshes SHAs, optionally for one package. verify checks that generated workflows are up to date and have no unpinned remote references. tree, why, and diff inspect the lockfile. The same operations are also exposed as a TypeScript API. Configuration lives in an optional actionspack.yml file where you can list explicit source-to-output entries and a list of external packages that should be pinned but not bundled. The README suggests marking the generated workflow files as read only in VS Code so they are never edited by hand. The project is MIT licensed and is by Kevin Deng (sxzz).

Copy-paste prompts

Prompt 1
Convert my existing .github/workflows folder to actionspack source layout and generate the first lockfile
Prompt 2
Write a GitHub Actions job that runs actionspack verify on every pull request
Prompt 3
Show me an actionspack.yml that pins three external packages but excludes them from bundling
Prompt 4
Compare actionspack to Dependabot for Actions and explain when to use each one
Prompt 5
Use actionspack tree and why to figure out which workflow pulls in actions/checkout v3

Frequently asked questions

What is actionspack?

Build tool that resolves GitHub Actions workflow dependencies, pins everything to exact SHAs in a lockfile, and inlines composite actions and reusable workflows into reproducible generated workflow files.

What language is actionspack written in?

Mainly TypeScript. The stack also includes TypeScript, Node.js, GitHub Actions.

What license does actionspack use?

MIT license, free to use, modify, and ship with attribution.

How hard is actionspack to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is actionspack for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.