Data

Tools

Indexes

Applications

Experiments

Open Source Science

https://github.com/chains-project/ghasum

Checksums for GitHub Actions.

https://github.com/chains-project/ghasum

Science Score: 26.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
  • Academic publication links
  • Committers with academic emails
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (9.5%) to scientific vocabulary

Keywords

checksums gha lockfile

Keywords from Contributors

archival projection interactive generic sequences observability autograding hacking shellcodes modular
Last synced: 6 months ago · JSON representation

Repository

Checksums for GitHub Actions.

Basic Info
  • Host: GitHub
  • Owner: chains-project
  • License: apache-2.0
  • Language: Go
  • Default Branch: main
  • Homepage:
  • Size: 308 KB
Statistics
  • Stars: 14
  • Watchers: 3
  • Forks: 1
  • Open Issues: 14
  • Releases: 8
Topics
checksums gha lockfile
Created about 2 years ago · Last pushed 6 months ago
Metadata Files
Readme Changelog Contributing License Security

README.md

ghasum

Checksums for GitHub Actions.

Compute and verify checksums for all GitHub Actions in a project to guarantee that the Actions you choose to include haven't changed since. ghasum gives better integrity guarantees than pinning Actions by commit hash and is also more user friendly as well.

Usage

To start using ghasum navigate to a project that use GitHub Actions and run:

shell ghasum init

Commit the gha.sum file that is created so that the checksums can be verified in the future. To verify run:

shell ghasum verify

For further help with using ghasum run:

shell ghasum help

Integration

To use ghasum in your GitHub Actions workflows there are two options. One is to create and use a local action that runs ghasum (recommended) and the other is to run ghasum inline in every job.

Local Action (Recommended)

To integrate ghasum as a local action into your GitHub Actions workflows you have to create the local action and then use it in every job in every workflow.

Create a local action to run ghasum:

Create the file .github/actions/ghasum/action.yml and copy the following content into the file. Then fill in the ghasum version and checksums.

```yaml name: ghasum description: Verify checksums of actions

inputs: checksum: description: The checksum of the ghasum checksums file required: false default: 0d9ca91... # Set the 'checksums-sha512.txt' file's checksum. version: description: The version of ghasum to use required: false default: vX.Y.Z # Set the ghasum version.

runs: using: composite steps: # Unix - name: Initialize ghasum directory if: runner.os == 'macOS' || runner.os == 'Linux' shell: bash run: mkdir -p /tmp/ghasum - name: Download ghasum checksums if: runner.os == 'macOS' || runner.os == 'Linux' shell: bash working-directory: /tmp/ghasum env: CHECKSUM: ${{ inputs.checksum }} GH_TOKEN: ${{ github.token }} VERSION: ${{ inputs.version }} run: | ARTIFACT='checksums-sha512.txt' gh release download "$VERSION" --repo chains-project/ghasum --pattern "$ARTIFACT" echo "$CHECKSUM $ARTIFACT" | shasum -a 256 -c -

   # Windows
   - name: Initialize ghasum directory
     if: runner.os == 'Windows'
     shell: pwsh
     run: mkdir C:\ghasum
   - name: Download ghasum checksums
     if: runner.os == 'Windows'
     shell: pwsh
     working-directory: C:\ghasum
     env:
       CHECKSUM: ${{ inputs.checksum }}
       GH_TOKEN: ${{ github.token }}
       VERSION: ${{ inputs.version }}
     run: |
       $ARTIFACT = "checksums-sha512.txt"
       gh release download "$env:VERSION" --repo chains-project/ghasum --pattern "$ARTIFACT"
       if ((Get-FileHash -Algorithm SHA256 "$ARTIFACT").Hash -ne "$env:CHECKSUM") {
         Write-Error 'Checksum mismatch!'
         exit 1
       } else {
         Write-Host 'Checksum match'
       }

   # macOS
   - name: Pick the ghasum CLI (amd64)
     if: runner.os == 'macOS' && runner.arch == 'X64'
     id: pick-macos-amd64
     shell: bash
     run: echo 'artifact=ghasum_darwin_amd64.tar.gz' >>"$GITHUB_OUTPUT"
   - name: Pick the ghasum CLI (arm64)
     if: runner.os == 'macOS' && runner.arch == 'ARM64'
     id: pick-macos-arm64
     shell: bash
     run: echo 'artifact=ghasum_darwin_arm64.tar.gz' >>"$GITHUB_OUTPUT"
   - name: Download the ghasum CLI
     if: runner.os == 'macOS'
     shell: bash
     working-directory: /tmp/ghasum
     env:
       ARTIFACT: ${{ steps.pick-macos-amd64.outputs.artifact || steps.pick-macos-arm64.outputs.artifact }}
       GH_TOKEN: ${{ github.token }}
       VERSION: ${{ inputs.version }}
     run: |
       gh release download "$VERSION" --repo chains-project/ghasum --pattern "$ARTIFACT"
       shasum --check --ignore-missing checksums-sha512.txt
       tar -xf "$ARTIFACT"
   - name: Verify the action checksums
     if: runner.os == 'macOS'
     shell: bash
     env:
       JOB: ${{ github.job }}
       WORKFLOW: ${{ github.workflow_ref }}
     run: |
       WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5)
       /tmp/ghasum/ghasum verify -cache /Users/runner/work/_actions -no-evict -offline "$WORKFLOW:$JOB"

   # Linux
   - name: Pick the ghasum CLI (amd64)
     if: runner.os == 'Linux' && runner.arch == 'X64'
     id: pick-linux-amd64
     shell: bash
     run: echo 'artifact=ghasum_linux_amd64.tar.gz' >>"$GITHUB_OUTPUT"
   - name: Pick the ghasum CLI (arm64)
     if: runner.os == 'Linux' && runner.arch == 'ARM64'
     id: pick-linux-arm64
     shell: bash
     run: echo 'artifact=ghasum_linux_arm64.tar.gz' >>"$GITHUB_OUTPUT"
   - name: Download the ghasum CLI
     if: runner.os == 'Linux'
     shell: bash
     working-directory: /tmp/ghasum
     env:
       ARTIFACT: ${{ steps.pick-linux-amd64.outputs.artifact || steps.pick-linux-arm64.outputs.artifact }}
       GH_TOKEN: ${{ github.token }}
       VERSION: ${{ inputs.version }}
     run: |
       gh release download "$VERSION" --repo chains-project/ghasum --pattern "$ARTIFACT"
       shasum --check --ignore-missing checksums-sha512.txt
       tar -xf "$ARTIFACT"
   - name: Verify the action checksums
     if: runner.os == 'Linux'
     shell: bash
     env:
       JOB: ${{ github.job }}
       WORKFLOW: ${{ github.workflow_ref }}
     run: |
       WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5)
       /tmp/ghasum/ghasum verify -cache /home/runner/work/_actions -no-evict -offline "$WORKFLOW:$JOB"

   # Windows
   - name: Pick the ghasum CLI (amd64)
     if: runner.os == 'Windows' && runner.arch == 'X64'
     id: pick-windows-amd64
     shell: pwsh
     run: |
       'artifact=ghasum_windows_amd64.zip' >>"$env:GITHUB_OUTPUT"
   - name: Pick the ghasum CLI (arm64)
     if: runner.os == 'Windows' && runner.arch == 'ARM64'
     id: pick-windows-arm64
     shell: pwsh
     run: |
       'artifact=ghasum_windows_arm64.zip' >>"$env:GITHUB_OUTPUT"
   - name: Download the ghasum CLI
     if: runner.os == 'Windows'
     shell: pwsh
     working-directory: C:\ghasum
     env:
       ARTIFACT: ${{ steps.pick-windows-amd64.outputs.artifact || steps.pick-windows-arm64.outputs.artifact }}
       GH_TOKEN: ${{ github.token }}
       VERSION: ${{ inputs.version }}
     run: |
       gh release download "$env:VERSION" --repo chains-project/ghasum --pattern "$env:ARTIFACT"
       $line = Get-Content checksums-sha512.txt | Where-Object { $_ -match "\b$env:ARTIFACT$" }
       if (-not $line) {
         Write-Error 'Checksum missing'
         exit 2
       } else {
         if ($line -match "^([a-fA-F0-9]+)  $env:ARTIFACT$") {
           $want = $matches[1]
           $got = (Get-FileHash -Path $env:ARTIFACT -Algorithm SHA512).Hash
           if ($got.ToLower() -ne $want.ToLower()) {
             Write-Error 'Checksum mismatch'
             exit 1
           } else {
             Write-Host 'Checksum match'
             Expand-Archive -Path "$env:ARTIFACT" -DestinationPath .
           }
         } else {
           Write-Error 'Checksums malformed'
           exit 2
         }
       }
   - name: Verify the action checksums
     if: runner.os == 'Windows'
     shell: pwsh
     env:
       JOB: ${{ github.job }}
       WORKFLOW: ${{ github.workflow_ref }}
     run: |
       $WorkflowParts = $env:WORKFLOW -split '@'
       $WorkflowPath = ($WorkflowParts[0] -split '/')[2..4] -join '/'
       if (Test-Path -Path 'C:\a\_actions') {
         C:\ghasum\ghasum.exe verify -cache C:\a\_actions -no-evict -offline "${WorkflowPath}:$env:JOB"
       } else {
         C:\ghasum\ghasum.exe verify -cache D:\a\_actions -no-evict -offline "${WorkflowPath}:$env:JOB"
       }

   # Cleanup
   - name: Cleanup (Unix)
     if: runner.os == 'macOS' || runner.os == 'Linux'
     shell: bash
     run: rm -rf /tmp/ghasum
   - name: Cleanup (Windows)
     if: runner.os == 'Windows'
     shell: pwsh
     run: Remove-Item -Recurse -Force -Path C:\ghasum

```

Use the local action in your workflows:

```yaml jobs: example: steps: # The repository has to be checked out before verifying checksums because # it requires access to the content in .github/workflows. Because this # action is run before the checksums are verified it should be pinned to # a commit SHA. - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

   # Verify the checksums with ghasum through the local action.
   - name: Verify action checksums
     uses: ./.github/actions/ghasum

   # The rest of your job ...

```

Inline

For Ubuntu runners ```yaml job: runs-on: ubuntu-24.04 # Also 'ubuntu-latest' steps: # The repository has to be checked out before verifying checksums because it # requires access to the content in .github/workflows. Because this action is # run before the checksums are verified it should be pinned to a commit SHA. - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Verify the action checksums with ghasum. - name: Verify action checksums env: VERSION: vX.Y.Z # Set the ghasum version. CHECKSUM: f5f2ff0... # Set the ghasum binary checksum. GH_TOKEN: ${{ github.token }} # Required for the GitHub CLI (`gh`). JOB: ${{ github.job }} WORKFLOW: ${{ github.workflow_ref }} run: | # Download the ghasum CLI ARTIFACT="ghasum_linux_amd64.tar.gz" gh release download "${VERSION}" --repo chains-project/ghasum --pattern "${ARTIFACT}" echo "${CHECKSUM} ${ARTIFACT}" | shasum -a 512 -c - tar -xf "${ARTIFACT}" # Verify the action checksums WORKFLOW=$(echo "${WORKFLOW}" | cut -d '@' -f 1 | cut -d '/' -f 3-5) ./ghasum verify -cache /home/runner/work/_actions -no-evict -offline "${WORKFLOW}:${JOB}" # The rest of your job ... ```
For macOS runners For newer ARM-based runners: ```yaml job: runs-on: macos-15 # Also 'macos-latest' steps: # The repository has to be checked out before verifying checksums because it # requires access to the content in .github/workflows. Because this action is # run before the checksums are verified it should be pinned to a commit SHA. - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Verify the action checksums with ghasum. - name: Verify action checksums env: VERSION: vX.Y.Z # Set the ghasum version. CHECKSUM: 94a5919... # Set the ghasum binary checksum. GH_TOKEN: ${{ github.token }} # Required for the GitHub CLI (`gh`). JOB: ${{ github.job }} WORKFLOW: ${{ github.workflow_ref }} run: | # Download the ghasum CLI ARTIFACT="ghasum_darwin_arm64.tar.gz" gh release download "${VERSION}" --repo chains-project/ghasum --pattern "${ARTIFACT}" echo "${CHECKSUM} ${ARTIFACT}" | shasum -a 512 -c - tar -xf "${ARTIFACT}" # Verify the action checksums WORKFLOW=$(echo "${WORKFLOW}" | cut -d '@' -f 1 | cut -d '/' -f 3-5) ./ghasum verify -cache /Users/runner/work/_actions -no-evict -offline "${WORKFLOW}:${JOB}" # The rest of your job ... ``` For older Intel-based runners: ```yaml job: runs-on: macos-13 steps: # The repository has to be checked out before verifying checksums because it # requires access to the content in .github/workflows. Because this action is # run before the checksums are verified it should be pinned to a commit SHA. - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Verify the action checksums with ghasum. - name: Verify action checksums env: VERSION: vX.Y.Z # Set the ghasum version. CHECKSUM: 3414193... # Set the ghasum binary checksum. GH_TOKEN: ${{ github.token }} # Required for the GitHub CLI (`gh`). JOB: ${{ github.job }} WORKFLOW: ${{ github.workflow_ref }} run: | # Download the ghasum CLI ARTIFACT="ghasum_darwin_amd64.tar.gz" gh release download "${VERSION}" --repo chains-project/ghasum --pattern "${ARTIFACT}" echo "${CHECKSUM} ${ARTIFACT}" | shasum -a 512 -c - tar -xf "${ARTIFACT}" # Verify the action checksums WORKFLOW=$(echo "${WORKFLOW}" | cut -d '@' -f 1 | cut -d '/' -f 3-5) ./ghasum verify -cache /Users/runner/work/_actions -no-evict -offline "${WORKFLOW}:${JOB}" # The rest of your job ... ```
For Windows runners ```yaml job: runs-on: windows-2025 # Also 'windows-latest' steps: # The repository has to be checked out before verifying checksums because it # requires access to the content in .github/workflows. Because this action is # run before the checksums are verified it should be pinned to a commit SHA. - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Verify the action checksums with ghasum. - name: Verify action checksums env: VERSION: vX.Y.Z # Set the ghasum version. CHECKSUM: e3d49db... # Set the ghasum binary checksum. GH_TOKEN: ${{ github.token }} # Required for the GitHub CLI (`gh`). JOB: ${{ github.job }} WORKFLOW: ${{ github.workflow_ref }} run: | # Download the ghasum CLI $ARTIFACT = "ghasum_windows_amd64.zip" gh release download "$env:VERSION" --repo chains-project/ghasum --pattern "$ARTIFACT" if ((Get-FileHash -Algorithm SHA512 "$ARTIFACT").Hash -ne $env:CHECKSUM) { Write-Error "Checksum mismatch!" exit 1 } Expand-Archive -Path "$ARTIFACT" -DestinationPath . # Verify the action checksums $WorkflowParts = $env:WORKFLOW -split '@' $WorkflowPath = ($WorkflowParts[0] -split '/')[2..4] -join '/' .\ghasum.exe verify -cache C:\a\_actions -no-evict -offline "${WorkflowPath}:${env:JOB}" # The rest of your job ... ```
For ARM-based Ubuntu runners ```yaml job: runs-on: ubuntu-24.04-arm steps: # The repository has to be checked out before verifying checksums because it # requires access to the content in .github/workflows. Because this action is # run before the checksums are verified it should be pinned to a commit SHA. - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Verify the action checksums with ghasum. - name: Verify action checksums env: VERSION: vX.Y.Z # Set the ghasum version. CHECKSUM: 8a5c3d8... # Set the ghasum binary checksum. GH_TOKEN: ${{ github.token }} # Required for the GitHub CLI (`gh`). JOB: ${{ github.job }} WORKFLOW: ${{ github.workflow_ref }} run: | # Download the ghasum CLI ARTIFACT="ghasum_linux_arm64.tar.gz" gh release download "${VERSION}" --repo chains-project/ghasum --pattern "${ARTIFACT}" echo "${CHECKSUM} ${ARTIFACT}" | shasum -a 512 -c - tar -xf "${ARTIFACT}" # Verify the action checksums WORKFLOW=$(echo "${WORKFLOW}" | cut -d '@' -f 1 | cut -d '/' -f 3-5) ./ghasum verify -cache /home/runner/work/_actions -no-evict -offline "${WORKFLOW}:${JOB}" # The rest of your job ... ```
For ARM-based Windows runners ```yaml job: runs-on: windows-11-arm steps: # The repository has to be checked out before verifying checksums because it # requires access to the content in .github/workflows. Because this action is # run before the checksums are verified it should be pinned to a commit SHA. - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Verify the action checksums with ghasum. - name: Verify action checksums env: VERSION: vX.Y.Z # Set the ghasum version. CHECKSUM: 3114a13... # Set the ghasum binary checksum. GH_TOKEN: ${{ github.token }} # Required for the GitHub CLI (`gh`). JOB: ${{ github.job }} WORKFLOW: ${{ github.workflow_ref }} run: | # Download the ghasum CLI $ARTIFACT = "ghasum_windows_arm64.zip" gh release download "$env:VERSION" --repo chains-project/ghasum --pattern "$ARTIFACT" if ((Get-FileHash -Algorithm SHA512 "$ARTIFACT").Hash -ne $env:CHECKSUM) { Write-Error "Checksum mismatch!" exit 1 } Expand-Archive -Path "$ARTIFACT" -DestinationPath . # Verify the action checksums $WorkflowParts = $env:WORKFLOW -split '@' $WorkflowPath = ($WorkflowParts[0] -split '/')[2..4] -join '/' .\ghasum.exe verify -cache C:\a\_actions -no-evict -offline "${WorkflowPath}:${env:JOB}" # The rest of your job ... ```

Using Go

In a Go-based project, you can use the Go toolchain to integrate ghasum. To get started, add ghasum as a tool dependency:

shell go get -tool github.com/chains-project/ghasum/cmd/ghasum

Initialize ghasum for your project if you haven't already:

shell go run github.com/chains-project/ghasum/cmd/ghasum init

Verify the setup succeeded:

shell go run github.com/chains-project/ghasum/cmd/ghasum verify

And update your workflows to verify the checksums at runtime. You can follow either the Local Action or Inline approach. Like with the other approaches you must first use actions/checkout. Moreover, because this runs from source you must also first use actions/setup-go. Both should be pinned to a commit SHA as they're run before checksum verification.

For Ubuntu/macOS runners ```yaml - uses: actions/checkout # @commit-sha - uses: actions/setup-go # @commit-sha - name: Verify action checksums env: JOB: ${{ github.job }} WORKFLOW: ${{ github.workflow_ref }} run: | WORKFLOW=$(echo "${WORKFLOW}" | cut -d '@' -f 1 | cut -d '/' -f 3-5) go run github.com/chains-project/ghasum/cmd/ghasum verify \ -cache /home/runner/work/_actions -no-evict -offline "${WORKFLOW}:${JOB}" ```
For Windows runners ```yaml - uses: actions/checkout # @commit-sha - uses: actions/setup-go # @commit-sha - name: Verify action checksums env: JOB: ${{ github.job }} WORKFLOW: ${{ github.workflow_ref }} run: | $WorkflowParts = $env:WORKFLOW -split '@' $WorkflowPath = ($WorkflowParts[0] -split '/')[2..4] -join '/' go run github.com/chains-project/ghasum/cmd/ghasum verify \ -cache C:\a\_actions -no-evict -offline "${WorkflowPath}:${env:JOB}" ```

Recommendations

When using ghasum it is recommended to pin all Actions to version tags. If Actions are benign, these won't change over time. Major version tags or branch refs are expected to change over time as changes are made to the Action, which results in failing verification by ghasum. Commit SHAs do not have to be used because the benefits they provide are covered by ghasum.

If an Action misbehaves - moving version refs after publishing - it is recommended to use commit SHAs instead to avoid failing verification by ghasum.

```yaml

Recommended: exact version tags

  • uses: actions/checkout@v4.1.1

Possible alternative: commit SHAs

  • uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

Discouraged: major version refs

  • uses: actions/checkout@v4

Discouraged: branches

  • uses: actions/checkout@main ```

Benefits

  • Pins transitive (composite) GitHub Actions.
  • Prevents using actions that have changed since you started using them. Avoids the impact of supply chain attacks such as CVE-2025-30066.
  • Prevents using impostor commits.
  • Reveals your GitHub Actions dependency hierarchy with ghasum list, even without integrating ghasum.
  • Protects against git commit SHA hash collisions (more details below).

Limitations

  • Requires manual intervention when an Action is updated.
  • The hashing algorithm used for checksums is not configurable.
  • ghasum does not (yet, #216) handle Docker-based unpinnable actions.
  • Checksums do not provide protection against code-based unpinnable actions.

Some of these limitations may be addressed by Github's Immutable Actions initiative, see github/roadmap#592 for more information.

Background

The dependency ecosystem for GitHub Actions is fully reliant on git. The version of an Action to use is specified using a git ref (branch or tag) or commit SHA. Git refs provide no integrity guarantees. And while commit SHAs do provide some integrity guarantees, since they're based on the older SHA1 hash the guarantees are not optimal.

Besides being older and having better, modern algorithms available, SHA1 is vulnerable to attacks, including SHAttered and SHAmbles. This means it is possible for a motivated and well-funded adversary to mount an attack on the GitHub Actions ecosystem. Note that GitHub does have protections in place to detect such attacks, but from what is publicly available this is limited to the SHAttered attack.

This project is a response to that theoretical attack - providing a way to get, record, and validate checksums for GitHub Actions dependencies using a more secure hashing algorithm. As an added benefit, it can also be used as an alternative to in-workflow commit SHA.

Git's hash function transition

The Git project has a hash function transition objective with the goal of migrating from SHA-1 to SHA-256. This discussion was started around the time of the SHAttered attack and has gradually been developed over time but is, as of writing, still experimental. The transition would eliminate the need for this project from a security perspective, but it could remain useful due to its other perks.

License

This software is available under the Apache License 2.0 license, see LICENSE for the full license text. The contents of documentation are licensed under the CC BY 4.0 license.

Owner

  • Name: CHAINS research project at KTH Royal Institute of Technology
  • Login: chains-project
  • Kind: organization

"Consistent Hardening and Analysis of Software Supply Chains" at KTH, funded by SSF

GitHub Events

Total
  • Create event: 114
  • Release event: 5
  • Issues event: 29
  • Watch event: 11
  • Delete event: 102
  • Issue comment event: 58
  • Push event: 114
  • Pull request review comment event: 9
  • Pull request review event: 5
  • Pull request event: 199
  • Fork event: 1
Last Year
  • Create event: 114
  • Release event: 5
  • Issues event: 29
  • Watch event: 11
  • Delete event: 102
  • Issue comment event: 58
  • Push event: 114
  • Pull request review comment event: 9
  • Pull request review event: 5
  • Pull request event: 199
  • Fork event: 1

Committers

Last synced: 11 months ago

All Time
  • Total Commits: 107
  • Total Committers: 2
  • Avg Commits per committer: 53.5
  • Development Distribution Score (DDS): 0.467
Past Year
  • Commits: 78
  • Committers: 2
  • Avg Commits per committer: 39.0
  • Development Distribution Score (DDS): 0.372
Top Committers
Name Email Commits
dependabot[bot] 4****] 57
Eric Cornelissen e****n@g****m 50

Issues and Pull Requests

Last synced: 6 months ago

All Time
  • Total issues: 23
  • Total pull requests: 215
  • Average time to close issues: 19 days
  • Average time to close pull requests: 1 day
  • Total issue authors: 2
  • Total pull request authors: 2
  • Average comments per issue: 0.22
  • Average comments per pull request: 0.27
  • Merged pull requests: 125
  • Bot issues: 0
  • Bot pull requests: 125
Past Year
  • Issues: 18
  • Pull requests: 137
  • Average time to close issues: 19 days
  • Average time to close pull requests: about 21 hours
  • Issue authors: 2
  • Pull request authors: 2
  • Average comments per issue: 0.11
  • Average comments per pull request: 0.18
  • Merged pull requests: 76
  • Bot issues: 0
  • Bot pull requests: 69
View more stats
Top Authors
Issue Authors
  • ericcornelissen (22)
  • LogFlames (1)
Pull Request Authors
  • dependabot[bot] (125)
  • ericcornelissen (90)
Top Labels
Issue Labels
enhancement (8) bug (3) refactor (3) pending (2) documentation (2) meta (2) test (1)
Pull Request Labels
dependencies (140) ci/cd (75) enhancement (16) refactor (14) security (12) bug (10) test (9) meta (9) documentation (8)

Packages

  • Total packages: 1
  • Total downloads: unknown
  • Total dependent packages: 0
  • Total dependent repositories: 0
  • Total versions: 8
proxy.golang.org: github.com/chains-project/ghasum
  • Versions: 8
  • Dependent Packages: 0
  • Dependent Repositories: 0
Rankings
Dependent packages count: 5.6%
Average: 5.8%
Dependent repos count: 6.0%
Last synced: 6 months ago

Dependencies

.github/workflows/audit.yml actions
  • actions/checkout v4.1.1 composite
  • actions/setup-go v5.0.0 composite
.github/workflows/check.yml actions
  • actions/checkout v4.1.1 composite
  • actions/setup-go v5.0.0 composite
.github/workflows/codeql.yml actions
  • actions/checkout v4.1.1 composite
  • actions/setup-go v5.0.0 composite
  • github/codeql-action/analyze v3.24.3 composite
  • github/codeql-action/init v3.24.3 composite
.github/workflows/publish.yml actions
  • actions/checkout v4.1.1 composite
  • actions/setup-go v5.0.0 composite
  • ncipollo/release-action v1.14.0 composite
.github/workflows/semgrep.yml actions
  • actions/checkout v4.1.1 composite
  • github/codeql-action/upload-sarif v3.24.3 composite
go.mod go
  • 4d63.com/gochecknoinits v0.0.0-20210416043744-25bb07f6e4e3
  • dario.cat/mergo v1.0.0
  • github.com/BurntSushi/toml v1.3.2
  • github.com/KimMachineGun/automemlimit v0.5.0
  • github.com/Microsoft/go-winio v0.6.1
  • github.com/ProtonMail/go-crypto v1.0.0
  • github.com/alexkohler/dogsled v0.0.0-20240130174141-bb1f9c4c0c98
  • github.com/alexkohler/nakedret/v2 v2.0.2
  • github.com/alexkohler/prealloc v1.0.0
  • github.com/alexkohler/unimport v0.0.0-20171106223308-e6f2b2e2d406
  • github.com/butuzov/ireturn v0.3.0
  • github.com/catenacyber/perfsprint v0.7.0
  • github.com/cilium/ebpf v0.13.0
  • github.com/cloudflare/circl v1.3.7
  • github.com/containerd/cgroups/v3 v3.0.3
  • github.com/coreos/go-systemd/v22 v22.5.0
  • github.com/cristalhq/acmd v0.11.2
  • github.com/cyphar/filepath-securejoin v0.2.4
  • github.com/dkorunic/betteralign v0.4.0
  • github.com/docker/go-units v0.5.0
  • github.com/emirpasic/gods v1.18.1
  • github.com/fsnotify/fsnotify v1.7.0
  • github.com/go-critic/go-critic v0.11.1
  • github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376
  • github.com/go-git/go-billy/v5 v5.5.0
  • github.com/go-git/go-git/v5 v5.11.0
  • github.com/go-toolsmith/astcast v1.1.0
  • github.com/go-toolsmith/astcopy v1.1.0
  • github.com/go-toolsmith/astequal v1.2.0
  • github.com/go-toolsmith/astfmt v1.1.0
  • github.com/go-toolsmith/astp v1.1.0
  • github.com/go-toolsmith/pkgload v1.2.2
  • github.com/go-toolsmith/strparse v1.1.0
  • github.com/go-toolsmith/typep v1.1.0
  • github.com/gobwas/glob v0.2.3
  • github.com/godbus/dbus/v5 v5.1.0
  • github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
  • github.com/google/go-cmp v0.6.0
  • github.com/google/renameio/v2 v2.0.0
  • github.com/gordonklaus/ineffassign v0.1.0
  • github.com/hashicorp/hcl v1.0.0
  • github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99
  • github.com/jgautheron/goconst v1.7.0
  • github.com/kevinburke/ssh_config v1.2.0
  • github.com/kisielk/errcheck v1.7.0
  • github.com/klauspost/compress v1.17.6
  • github.com/kunwardeep/paralleltest v1.0.10
  • github.com/liamg/memoryfs v1.6.0
  • github.com/magiconair/properties v1.8.7
  • github.com/mdempsky/unconvert v0.0.0-20230907125504-415706980c06
  • github.com/mitchellh/mapstructure v1.5.0
  • github.com/nishanths/exhaustive v0.12.0
  • github.com/opencontainers/runtime-spec v1.2.0
  • github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58
  • github.com/pelletier/go-toml/v2 v2.1.1
  • github.com/pjbgf/sha1cd v0.3.0
  • github.com/polyfloyd/go-errorlint v1.4.8
  • github.com/quasilyte/go-ruleguard v0.4.0
  • github.com/quasilyte/gogrep v0.5.0
  • github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727
  • github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567
  • github.com/remyoudompheng/go-misc v0.0.0-20190427085024-2d6ac652a50e
  • github.com/rogpeppe/go-internal v1.12.0
  • github.com/sagikazarmark/locafero v0.4.0
  • github.com/sagikazarmark/slog-shim v0.1.0
  • github.com/sergi/go-diff v1.3.1
  • github.com/sirkon/dst v0.26.4
  • github.com/sirupsen/logrus v1.9.3
  • github.com/skeema/knownhosts v1.2.1
  • github.com/sourcegraph/conc v0.3.0
  • github.com/spf13/afero v1.11.0
  • github.com/spf13/cast v1.6.0
  • github.com/spf13/pflag v1.0.5
  • github.com/spf13/viper v1.18.2
  • github.com/subosito/gotenv v1.6.0
  • github.com/tetafro/godot v1.4.16
  • github.com/tomarrell/wrapcheck/v2 v2.8.1
  • github.com/ultraware/whitespace v0.1.0
  • github.com/xanzy/ssh-agent v0.3.3
  • gitlab.com/bosi/decorder v0.4.1
  • go.uber.org/automaxprocs v1.5.3
  • go.uber.org/multierr v1.11.0
  • go.uber.org/nilaway v0.0.0-20240216175439-fb8b98c43554
  • golang.org/x/crypto v0.19.0
  • golang.org/x/exp v0.0.0-20240213143201-ec583247a57a
  • golang.org/x/exp/typeparams v0.0.0-20240213143201-ec583247a57a
  • golang.org/x/mod v0.15.0
  • golang.org/x/net v0.21.0
  • golang.org/x/sync v0.6.0
  • golang.org/x/sys v0.17.0
  • golang.org/x/text v0.14.0
  • golang.org/x/tools v0.18.0
  • golang.org/x/vuln v1.0.4
  • google.golang.org/protobuf v1.32.0
  • gopkg.in/ini.v1 v1.67.0
  • gopkg.in/warnings.v0 v0.1.2
  • gopkg.in/yaml.v2 v2.4.0
  • gopkg.in/yaml.v3 v3.0.1
  • honnef.co/go/tools v0.4.6
  • mvdan.cc/unparam v0.0.0-20240104100049-c549a3470d14
go.sum go
  • 217 dependencies
.github/workflows/ghasum.yml actions
  • actions/checkout v4.1.2 composite
  • actions/setup-go v5.0.0 composite
  • stefanzweifel/git-auto-commit-action v5.0.0 composite
  • tibdex/github-app-token v2.1.0 composite