{"id":51316030,"url":"https://github.com/sxzz/actionspack","last_synced_at":"2026-07-01T07:04:13.454Z","repository":{"id":359175474,"uuid":"1244883002","full_name":"sxzz/actionspack","owner":"sxzz","description":"Lockfile-first GitHub Actions workflow packer","archived":false,"fork":false,"pushed_at":"2026-05-20T18:37:48.000Z","size":110,"stargazers_count":7,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-20T23:13:04.130Z","etag":null,"topics":["actions","github","workflow"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sxzz.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":["sxzz"]}},"created_at":"2026-05-20T17:36:27.000Z","updated_at":"2026-05-20T21:54:19.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/sxzz/actionspack","commit_stats":null,"previous_names":["sxzz/flowpack"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/sxzz/actionspack","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sxzz%2Factionspack","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sxzz%2Factionspack/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sxzz%2Factionspack/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sxzz%2Factionspack/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sxzz","download_url":"https://codeload.github.com/sxzz/actionspack/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sxzz%2Factionspack/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34996294,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-01T02:00:05.325Z","response_time":130,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","github","workflow"],"created_at":"2026-07-01T07:04:12.679Z","updated_at":"2026-07-01T07:04:13.436Z","avatar_url":"https://github.com/sxzz.png","language":"TypeScript","funding_links":["https://github.com/sponsors/sxzz"],"categories":[],"sub_categories":[],"readme":"# actionspack\n\n[![Open on npmx][npmx-version-src]][npmx-href]\n[![npm downloads][npmx-downloads-src]][npmx-href]\n[![Unit Test][unit-test-src]][unit-test-href]\n\n`actionspack` is a lockfile-first GitHub Actions workflow packer. It lets you\nauthor workflows in `.github/workflows/src/`, lock every remote workflow/action\ndependency in `.github/workflow.lock.yml`, and generate pinned workflows in\n`.github/workflows/`.\n\nIt currently supports inlining composite actions and safely transformable\nreusable workflows. JavaScript and Docker actions are pinned as external\ndependencies instead of being bundled.\n\n## Why actionspack?\n\nGitHub Actions workflows often depend on reusable workflows and actions from\nother repositories. You may want to author those dependencies with convenient\nfloating refs like `@main` in `.github/workflows/src/`, but generated workflows\nshould be reproducible and reviewable.\n\n`actionspack` gives workflows a lockfile mechanism similar to `pnpm`. It locks\nremote workflows and actions in `.github/workflow.lock.yml`, inlines everything\nthat can be transformed safely into the local repository, and pins anything that\ncannot be inlined to a fixed SHA.\n\nTo update workflow and action dependencies, run `actionspack update`\nperiodically. The updated lockfile and generated workflows are normal repository\nfiles, so `git diff` shows exactly which dependencies changed and what generated\nworkflow output changed.\n\n## Install\n\n```bash\nnpm i actionspack\n```\n\n## Usage\n\nPut authored workflows under `.github/workflows/src/`:\n\n```yaml\n# .github/workflows/src/ci.yml\nname: CI\n\non:\n  push:\n\njobs:\n  test:\n    uses: owner/repo/.github/workflows/test.yml@main\n```\n\nThen run:\n\n```bash\nnpx actionspack\n```\n\n`actionspack` defaults to `actionspack pack`. It writes:\n\n- `.github/workflow.lock.yml`\n- `.github/workflows/ci.yml`\n\nGenerated workflows are safe to commit. Existing lockfile SHAs are reused until\nyou explicitly run `actionspack update`.\n\nWhen you want to refresh workflow/action dependencies:\n\n```bash\nnpx actionspack update\ngit diff\n```\n\nReview the dependency SHA changes in `.github/workflow.lock.yml` and the\nresulting generated workflow changes before committing.\n\n### VS Code\n\nGenerated workflows should not be edited by hand. Consider marking them as\nread-only in your workspace settings:\n\n```json\n{\n  \"files.readonlyInclude\": {\n    \".github/workflows/*.yml\": true\n  }\n}\n```\n\n## Commands\n\n```bash\nactionspack pack\n```\n\nScan source workflows, resolve missing dependencies, update the lockfile, and\nwrite generated workflows.\n\n```bash\nactionspack scan\n```\n\nUpdate the lockfile graph shape only. This adds newly discovered dependencies\nand removes unreachable ones without refreshing existing SHAs.\n\n```bash\nactionspack update [package]\n```\n\nRefresh all locked dependencies, or only the selected package. By default this\nalso packs workflows. Use `--lockfile-only` to update only\n`.github/workflow.lock.yml`.\n\n```bash\nactionspack verify\n```\n\nCheck that generated workflows are current and contain no unsupported unpinned\nremote references.\n\n```bash\nactionspack tree\nactionspack why \u003cpackage\u003e\nactionspack diff\nactionspack diff --json\n```\n\nInspect the lockfile dependency tree, explain why a package is present, or\ncompare the current lockfile with `HEAD`.\n\n## Configuration\n\n`actionspack.yml` is optional. Without it, `actionspack` discovers\n`.github/workflows/src/*.yml` and `.github/workflows/src/*.yaml`, then writes\nmatching generated workflows to `.github/workflows/*.yml`.\n\nUse explicit entries when you need custom paths:\n\n```yaml\n$schema: ./actionspack.schema.json\n\nentries:\n  - source: .github/workflows/src/ci.yml\n    output: .github/workflows/ci.yml\n```\n\nUse `external` to pin a workflow or action without bundling it:\n\n```yaml\nexternal:\n  - actions/checkout\n  - owner/repo/path\n```\n\nThe same configuration can be supplied through CLI flags:\n\n```bash\nactionspack pack \\\n  --entry .github/workflows/src/ci.yml:.github/workflows/ci.yml \\\n  --external actions/checkout\n```\n\n## Packing Rules\n\nComposite actions are recursively inlined when `runs.using` is `composite`.\nInputs are substituted from caller `with` values or action defaults. Missing\nrequired inputs fail closed.\n\nReusable workflows are inlined only when they use `workflow_call` and can be\ntransformed into local jobs deterministically. Unsupported cases, unresolved\nrefs, unsafe reusable workflows, and leftover remote `uses` fail closed.\n\nJavaScript actions, Docker actions, and `docker://` references are not bundled\nyet. They are pinned to locked SHAs as external dependencies.\n\n## API\n\n```ts\nimport { diff, pack, scan, tree, update, verify, why } from 'actionspack'\n\nawait pack()\nawait update({ packageName: 'owner/repo', lockfileOnly: true })\nawait verify()\n```\n\n## Sponsors\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://cdn.jsdelivr.net/gh/sxzz/sponsors/sponsors.svg\"\u003e\n    \u003cimg src='https://cdn.jsdelivr.net/gh/sxzz/sponsors/sponsors.svg'/\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n## License\n\n[MIT](./LICENSE) License © 2026-PRESENT [Kevin Deng](https://github.com/sxzz)\n\n\u003c!-- Badges --\u003e\n\n[npmx-version-src]: https://npmx.dev/api/registry/badge/version/actionspack\n[npmx-downloads-src]: https://npmx.dev/api/registry/badge/downloads-month/actionspack\n[npmx-href]: https://npmx.dev/actionspack\n[unit-test-src]: https://github.com/sxzz/actionspack/actions/workflows/unit-test.yml/badge.svg\n[unit-test-href]: https://github.com/sxzz/actionspack/actions/workflows/unit-test.yml\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsxzz%2Factionspack","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsxzz%2Factionspack","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsxzz%2Factionspack/lists"}