sxzz

sxzz / actionspack

Public

Lockfile-first GitHub Actions workflow packer

actions github workflow
15
0
85% credibility
Found May 21, 2026 at 22 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
TypeScript
AI Summary

actionspack is a workflow management tool for GitHub Actions that brings the reliability of lockfiles to your automation. You write workflows using flexible references (like 'use the latest version'), and actionspack locks everything to specific versions, inlines reusable pieces directly into your files, and generates clean, reproducible workflows ready to commit. It ensures your CI/CD pipelines don't break unexpectedly when dependencies update, gives you full visibility into what changed, and makes updating dependencies safe and auditable.

How It Works

1
📝 You write your workflows with flexible references

Instead of locking everything to exact versions, you write workflows using convenient references like 'use the latest main version' in a special source folder.

2
🔒 You run actionspack to lock everything down

With one command, the tool connects to GitHub, finds the exact versions of all your dependencies, and records them in a lockfile so nothing changes unexpectedly.

3
Your workflows get bundled and optimized

The tool inlines reusable workflows and actions directly into your files, making everything self-contained and faster to run.

4
🔍 You review what changed before committing

You can see exactly which dependencies updated and how your generated workflows changed, just like reviewing a diff in your code.

5
Later, you need to update your dependencies
🔀
Update everything at once

Refresh all locked dependencies to their latest versions with a single command.

🎯
Update just one package

Target a specific workflow or action to update without touching everything else.

6
You verify everything works correctly

Before pushing, you can verify that your generated workflows are up-to-date and contain no broken references.

🎉 Your project is reproducible and secure

Every team member gets the same exact workflow versions, and you have a clear record of exactly what changed and why.

Sign up to see the full architecture

5 more

Sign Up Free

Star Growth

See how this repo grew from 22 to 15 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is actionspack?

actionspack is a TypeScript tool that brings lockfile discipline to GitHub Actions. You write workflows using floating refs like `@main` in a source directory, run `actionspack pack`, and it generates reproducible workflows pinned to exact SHAs. The lockfile tracks every remote dependency, so `git diff` shows exactly what changed. Composite actions get inlined recursively, while JavaScript and Docker actions stay external but pinned. The CLI exposes commands like `pack`, `scan`, `update`, `verify`, `tree`, `why`, and `diff` for managing the workflow dependency graph.

Why is it gaining traction?

The pain point is real: floating refs in CI make audits impossible and introduce silent breakage. actionspack solves this the same way package managers solved dependency hell. The workflow stays human-readable in source, but the generated output is locked and reviewable. The `verify` command catches drift automatically, and the `diff` command makes dependency updates auditable. Using the official GitHub Actions expression parser means it understands workflow syntax correctly, not just YAML.

Who should use this?

Teams managing multiple repositories with shared reusable workflows or heavy action dependencies. Platform teams standardizing CI across an org. Anyone tired of `@main` breaking production CI on a Friday. Not for simple single-workflow repos with no external dependencies.

Verdict

With a 0.8500000238418579% credibility score, this is a well-structured, thoughtful tool from an individual maintainer. The API is clean, the CLI is intuitive, and the lockfile approach solves a genuine problem. At 15 stars, it's early and unproven at scale. Worth evaluating for monorepos or org-wide CI standardization, but treat it like any early-stage project: test thoroughly before committing to production pipelines.

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.