sxzz/actionspack

actionspack is a build tool for GitHub Actions workflows. The problem it tackles is that workflows often depend on reusable workflows and actions from other repositories, and people usually reference them with floating tags like @main. That is convenient while writing the workflow, but it makes the file unreviewable and not reproducible: today's @main may not be the same code that ran yesterday. The approach is borrowed from package managers like pnpm. You author your workflows under a new folder.github/workflows/src/, and run actionspack. The tool resolves every remote dependency, records the exact SHA for each one in a lockfile called .github/workflow.lock.yml, and writes pinned workflow files into the normal .github/workflows/ folder. The generated files and the lockfile both get committed, so any change shows up in git diff. To update a dependency you run actionspack update, which refreshes SHAs in the lockfile and rewrites the generated workflows. What happens to a dependency depends on its kind. Composite actions are recursively inlined into the generated workflow, with input values substituted from the caller's with block or from action defaults. Reusable workflows are inlined when they use workflow_call and can be turned into local jobs without changing behavior. JavaScript actions, Docker actions, and docker:// references are not bundled; they stay as remote references but are pinned to a fixed SHA from the lockfile. Anything that cannot be transformed safely fails the build outright. The CLI has a small set of commands. pack is the default and does a full resolve plus rewrite. scan only updates the shape of the lockfile graph. update refreshes SHAs, optionally for one package. verify checks that generated workflows are up to date and have no unpinned remote references. tree, why, and diff inspect the lockfile. The same operations are also exposed as a TypeScript API. Configuration lives in an optional actionspack.yml file where you can list explicit source-to-output entries and a list of external packages that should be pinned but not bundled. The README suggests marking the generated workflow files as read only in VS Code so they are never edited by hand. The project is MIT licensed and is by Kevin Deng (sxzz).