<!DOCTYPE html><html><head><title></title><style type="text/css">#qt P{margin-top:0px;margin-bottom:0px;}

</style></head><body><div>Hi,</div><div><br></div><div>Nice!</div><div><br></div><div>At the ASF, we explicitly allowlist action versions, and recently started checking actions with 'compiled' javascript for reproducibility before allowlisting. You can read more about this at <a href="https://github.com/apache/infrastructure-actions?tab=readme-ov-file#management-of-organization-wide-github-actions-allow-list">https://github.com/apache/infrastructure-actions?tab=readme-ov-file#management-of-organization-wide-github-actions-allow-list</a>, in particular <a href="https://github.com/apache/infrastructure-actions/tree/main/utils/verify_action_build">https://github.com/apache/infrastructure-actions/tree/main/utils/verify_action_build</a> and <a href="https://github.com/apache/infrastructure-actions/blob/main/.github/workflows/verify_dependabot_action.yml">https://github.com/apache/infrastructure-actions/blob/main/.github/workflows/verify_dependabot_action.yml</a>.</div><div><br></div><div>This already led to <a href="https://github.com/SonarSource/sonarqube-scan-action/pull/228">https://github.com/SonarSource/sonarqube-scan-action/pull/228</a> .</div><div><br></div><div>Will definitely keep your projects in mind when we plan to extend that!</div><div><br></div><div><br></div><div>Kind regards,</div><div><br></div><div>Arnout</div><div><br></div><div>On Thu, Apr 16, 2026, at 18:02, Aman Sharma via rb-general wrote:</div><blockquote type="cite" id="qt" style=""><div id="qt-divtagdefaultwrapper" style="font-size:12pt;color:rgb(0, 0, 0);font-family:Garamond, Georgia, serif;" dir="ltr"><p>Hi all,</p><p><br></p><p><br></p><p><span>I wanted to briefly share a project from our group at KTH Royal Institute of Technology. <a href="https://www.ericcornelissen.dev/" class="qt-OWAAutoLink">Eric Cornelissen</a>, a PhD student in our <a href="https://chains.proj.kth.se/" class="qt-OWAAutoLink">CHAINS</a> group, is maintaining an open-source project that monitors the reproducibility of GitHub Actions:</span><br> <a href="https://github.com/ericcornelissen/reproducing-actions" id="qt-LPlnk718057"><span>https://github.com/ericcornelissen/reproducing-actions</span></a></p><p><br></p><div><span>The goal of the project is to assess whether GitHub Actions can be reproduced. Currently, it focuses on two types of Actions: JavaScript-based actions and Docker-based actions (composite actions are not considered). For JavaScript actions, the project
 rebuilds the distributed files and compares them bit-by-bit with the repository contents. For Docker actions, it rebuilds images from the Dockerfile and checks for semantic equivalence, using <a href="https://github.com/reproducible-containers/diffoci" class="qt-OWAAutoLink">https://github.com/reproducible-containers/diffoci</a>,
 across builds.</span></div><p><br></p><p><span></span><br></p><p><span>More details about current actions being monitored are available on README. I am one of its contributors, so would be happy to talk about it.</span></p><p><br></p><div id="qt-Signature"><div id="qt-divtagdefaultwrapper" dir="ltr" style="font-size:12pt;color:rgb(0, 0, 0);font-family:Calibri, Helvetica, sans-serif, "EmojiFont", "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols;"><div id="qt-m_4935352394101912768Signature"><div name="divtagdefaultwrapper"><span class="size" style="font-size:13px;"><span class="color" style="color:rgb(128, 128, 128);"><span style="background-color:rgb(255, 255, 255);"><span class="font" style="font-family:Arial, "Helvetica Neue", helvetica, sans-serif;"><span class="size" style="font-size:12pt;"><div style="margin-top:0px;margin-bottom:0px;"><span style="color:rgb(0, 0, 0);"><span class="font" style="font-family:Garamond, Georgia, serif;">Regards,</span></span></div><div><span class="font" style="font-family:Garamond, Georgia, serif;"></span><span class="font" style="font-family:Garamond, Georgia, serif;"></span><span style="color:rgb(0, 0, 0);"></span><span class="font" style="font-family:Garamond, Georgia, serif;"></span><span class="font" style="font-family:Garamond, Georgia, serif;"></span><br></div><div style="margin-top:0px;margin-bottom:0px;"><span style="color:rgb(0, 0, 0);"><span class="font" style="font-family:Garamond, Georgia, serif;">Aman Sharma</span></span></div></span></span></span></span></span></div><div name="divtagdefaultwrapper"><span class="size" style="font-size:13px;"><span class="color" style="color:rgb(128, 128, 128);"><span style="background-color:rgb(255, 255, 255);"><span class="font" style="font-family:Arial, "Helvetica Neue", helvetica, sans-serif;"></span></span><span class="qt-im">PhD Student<br style="font-family:Arial, "Helvetica Neue", helvetica, sans-serif;"> <span style="background-color:rgb(255, 255, 255);"><span class="font" style="font-family:Arial, "Helvetica Neue", helvetica, sans-serif;">KTH Royal Institute of Technology</span></span><br style="font-family:Arial, "Helvetica Neue", helvetica, sans-serif;"> </span><span style="background-color:rgb(255, 255, 255);"><span class="font" style="font-family:Arial, "Helvetica Neue", helvetica, sans-serif;">School of Electrical Engineering and Computer Science (EECS)</span></span><br style="font-family:Arial, "Helvetica Neue", helvetica, sans-serif;"> <span style="background-color:rgb(255, 255, 255);"><span class="font" style="font-family:Arial, "Helvetica Neue", helvetica, sans-serif;">Department of Theoretical Computer Science (TCS)</span></span><span style="background-color:rgb(255, 255, 255);"><span class="font" style="font-family:Arial, "Helvetica Neue", helvetica, sans-serif;"><a href="http://www.kth.se" target="_blank" id="qt-LPNoLP"></a><a href="https://www.kth.se/profile/amansha" class="qt-OWAAutoLink" id="qt-LPNoLP"></a><a href="https://www.kth.se/profile/amansha" class="qt-OWAAutoLink" id="qt-LPNoLP"></a></span></span></span></span></div></div><div><a href="https://www.kth.se/profile/amansha" class="qt-OWAAutoLink" id="qt-LPNoLP"><span class="size" style="font-size:10pt;"></span></a><a href="https://algomaster99.github.io/" class="qt-OWAAutoLink" id="qt-LPNoLP">https://algomaster99.github.io/</a></div></div></div></div></blockquote><div><br></div><div id="sig124436424"><div class="signature">-- </div><div class="signature">Arnout Engelen</div><div class="signature">Engelen Open Source</div><div class="signature"><a href="https://engelen.eu">https://engelen.eu</a></div></div><div><br></div></body></html>