Just don't use actions which pull in arbitrary npm packages without a lockfile.

Don't use such actions. Or fork them and commit add the lockfile yourself, if you're cool with the implied maintenance.

Sure, or we come up with a proper solution via lockfiles so we don't have keep forking and maintaining, and make full dependency locks the default so everyone benefits.

This is a long solved problem in every other ecosystem. This particular implementation isn't great but it has the right idea.

> Or fork them and commit add the lockfile yourself

Depending on the action you use, this is no small task. You might as well just switch to something else altogether.

This is the way to do it.

Pin by hash.

Verify that the actions themselves aren't pulling in unpinned dependencies from Actions, NPM, or elsewhere.

Have a CI job or bot create PRs for new versions. Verify those PRs before merging.

If any particular action becomes a recurring chore or risk, consider if you should keep depending on it.

If you do these things, the "we need a package manager" is moot and most if not all of the concerns in that blog post don't affect you.

I don’t want to throw process at the problem. I think GH should provide a better system not the developers locking down dependencies and adding extra processes and steps to update the CI via a PR workflow. Not like PRs became the development bottleneck anyways for a lot of development teams these days. I wonder how we functioned 15 years ago with trunk based YOLO development. I also think that it wasn’t the best idea to base versioning on mutable branches and not introduce a registry in the middle. Think about it. The whole system is build on node anyways. But we pull “dependencies” via a weak git clone system.

This is likely the reason behind the recent push of "Trusted Publishing" from NPM. They are trying to make people consider GitHub (and GitLab) in its own higher tier with regards to supply-chain security by decree.

If you rely on "Trusted Publishing" you are assisting Microsoft in making a moat for their CI platform.

Use cryptographic signatures, not implicit trust in a hosted platform.

(e): Community software like act and Forgejo/Gitea Actions have made it a lot easier to run GitHub Actions workflows without involving GitHub and are decreasing the friction of migration.

Now you are talking about value but you asked about cost. They are not the same.

bigyabai is talking about utility from perspective of the owner or a hypothetical buyer, not concerned with the wider community.

"Zuck" works

The internet should very much be considered an untrusted network.

Don’t put it on a network, but also don’t allow it to reach an untrusted network.

Who watches the watchmen?

This needs to be locally hostable and auditable to be interesting.

Hey thanks for the reply, standalone would be an option noted, also we have audit logs, and Splunk integration support but we will improve "auditability", thanks for the suggestions.

You don't like war and propaganda but are "also 100% fine with China taking back Taiwan, that's only fair"? Not compatible.

Aside: This reminds me that pro-CCP astroturfing has been increasingly prevalent and visible on the fediverse recently...

As a US citizen, it's absolutely none of my business.

And yet you chose to highlight it, unprompted, in a conversation where it is off-topic.

Besides, military invasion of an independent non-aggressive country is a global concern. Like Russia invading Ukraine was or a hypothetical US invasion of Venezuela would be.

I was responding to the parent comment that brought it up.