
<!DOCTYPE html>

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<title></title>

<style type="text/css">#qt P{margin-top:0px;margin-bottom:0px;}


</style>

</head>

<body>

<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>

<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Garamond,Georgia,serif;" dir="ltr">

<p>Hi Arnout,</p>

<p><br>

</p>

<p>Thanks for sharing the infrastructure! It is quite cool.</p>

<p><br>

</p>

<p>> <span>At the ASF, we explicitly allowlist action versions,</span></p>

<p><br>

</p>

<p>I am interested to know more about it. I see in your repository that the final output is <span>approved_patterns.yml</span>. How do you enforce this regularly? Is there are CI job updating

<a href="https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-select-actions-and-reusable-workflows-to-run" class="OWAAutoLink">

"<span>Allow or block specified actions and reusable workflow </span>" under "Org Settings > Action > General"</a>? We also do it, but we don't have a lot of actions so we are okay with doing this manually. </p>

<p><br>

</p>

<p>I also see many <a href="https://github.com/apache/infrastructure-actions/blob/8a059befd17ed98f4942c5cf3a67b7378045b669/approved_patterns.yml#L26-L28" class="OWAAutoLink">

unpinned actions</a> in that file. You may want to pin them :)</p>

<p><br>

</p>

<p>By the way, does your infrastructure also check reproducibility for composite actions?</p>

<p><br>

</p>

<p>> This already led to <a href="https://github.com/SonarSource/sonarqube-scan-action/pull/228" target="_blank" rel="noopener noreferrer" title="Ctrl+Click or tap to follow the link">https://github.com/SonarSource/sonarqube-scan-action/pull/228</a> .</p>

<p><br>

</p>

<p>Nice! We also have some "trophies" which we record <a href="https://github.com/ericcornelissen/reproducing-actions#trophies" class="OWAAutoLink">

here</a>.</p>

<p><br>

</p>

<p>> <span>Will definitely keep your projects in mind when we plan to extend that!</span></p>

<p><br>

</p>

<p>We will also look at the actions you have and create monitors for them.</p>

<p><br>

</p>

<div id="Signature">

<div id="divtagdefaultwrapper" dir="ltr" style="font-size: 12pt; color: rgb(0, 0, 0); font-family: Calibri, Helvetica, sans-serif, "EmojiFont", "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols;">

<div id="m_4935352394101912768Signature">

<div name="divtagdefaultwrapper"><font size="2" color="#808080"><span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)"><span id="divtagdefaultwrapper" style="font-size:12pt">

<div style="margin-top:0; margin-bottom:0"><span style="color:rgb(0,0,0); font-family:Garamond,Georgia,serif">Regards,</span></div>

<span style="font-family:Garamond,Georgia,serif"></span><span style="font-family:Garamond,Georgia,serif"></span><span style="color:rgb(0,0,0)"></span><span style="font-family:Garamond,Georgia,serif"></span><span style="font-family:Garamond,Georgia,serif"></span>

<div style="margin-top:0; margin-bottom:0"><span style="color:rgb(0,0,0); font-family:Garamond,Georgia,serif">Aman Sharma</span></div>

</span><br>

</span></font></div>

<div name="divtagdefaultwrapper"><font size="2" color="#808080"><span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)"></span><span class="im">PhD Student<br style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif">

<span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)">KTH Royal Institute of Technology</span><br style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif">

</span><span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)">School of Electrical Engineering and Computer Science (EECS)</span><br style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif">

<span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)">Department of Theoretical Computer Science (TCS)</span><br style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif">

<span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)"><a href="http://www.kth.se" target="_blank" id="LPNoLP"></a><a href="https://www.kth.se/profile/amansha" class="OWAAutoLink" id="LPNoLP"></a><a href="https://www.kth.se/profile/amansha" class="OWAAutoLink" id="LPNoLP"></a></span></font></div>

</div>

<a href="https://www.kth.se/profile/amansha" class="OWAAutoLink" id="LPNoLP"><span style="font-size:10pt"></span></a><a href="https://algomaster99.github.io/" class="OWAAutoLink" id="LPNoLP">https://algomaster99.github.io/</a><br>

</div>

</div>

</div>

<hr style="display:inline-block;width:98%" tabindex="-1">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Arnout Engelen <arnout@bzzt.net><br>

<b>Sent:</b> Thursday, April 16, 2026 6:23:47 PM<br>

<b>To:</b> rb-general<br>

<b>Cc:</b> Aman Sharma; Eric Cornelissen<br>

<b>Subject:</b> Re: Monitoring reproducibility of GitHub Actions</font>

<div> </div>

</div>

<div>

<div>Hi,</div>

<div><br>

</div>

<div>Nice!</div>

<div><br>

</div>

<div>At the ASF, we explicitly allowlist action versions, and recently started checking actions with 'compiled' javascript for reproducibility before allowlisting. You can read more about this at

<a href="https://github.com/apache/infrastructure-actions?tab=readme-ov-file#management-of-organization-wide-github-actions-allow-list">

https://github.com/apache/infrastructure-actions?tab=readme-ov-file#management-of-organization-wide-github-actions-allow-list</a>, in particular

<a href="https://github.com/apache/infrastructure-actions/tree/main/utils/verify_action_build">

https://github.com/apache/infrastructure-actions/tree/main/utils/verify_action_build</a> and

<a href="https://github.com/apache/infrastructure-actions/blob/main/.github/workflows/verify_dependabot_action.yml">

https://github.com/apache/infrastructure-actions/blob/main/.github/workflows/verify_dependabot_action.yml</a>.</div>

<div><br>

</div>

<div>This already led to <a href="https://github.com/SonarSource/sonarqube-scan-action/pull/228">https://github.com/SonarSource/sonarqube-scan-action/pull/228</a> .</div>

<div><br>

</div>

<div>Will definitely keep your projects in mind when we plan to extend that!</div>

<div><br>

</div>

<div><br>

</div>

<div>Kind regards,</div>

<div><br>

</div>

<div>Arnout</div>

<div><br>

</div>

<div>On Thu, Apr 16, 2026, at 18:02, Aman Sharma via rb-general wrote:</div>

<blockquote type="cite" id="qt" style="">

<div id="qt-divtagdefaultwrapper" style="font-size:12pt;color:rgb(0, 0, 0);font-family:Garamond, Georgia, serif;" dir="ltr">

<p>Hi all,</p>

<p><br>

</p>

<p><br>

</p>

<p><span>I wanted to briefly share a project from our group at KTH Royal Institute of Technology. <a href="https://www.ericcornelissen.dev/" class="qt-OWAAutoLink">Eric Cornelissen</a>, a PhD student in our

<a href="https://chains.proj.kth.se/" class="qt-OWAAutoLink">CHAINS</a> group, is maintaining an open-source project that monitors the reproducibility of GitHub Actions:</span><br>

<a href="https://github.com/ericcornelissen/reproducing-actions" id="qt-LPlnk718057"><span>https://github.com/ericcornelissen/reproducing-actions</span></a></p>

<p><br>

</p>

<div><span>The goal of the project is to assess whether GitHub Actions can be reproduced. Currently, it focuses on two types of Actions: JavaScript-based actions and Docker-based actions (composite actions are not considered). For JavaScript actions, the project

 rebuilds the distributed files and compares them bit-by-bit with the repository contents. For Docker actions, it rebuilds images from the Dockerfile and checks for semantic equivalence, using <a href="https://github.com/reproducible-containers/diffoci" class="qt-OWAAutoLink">https://github.com/reproducible-containers/diffoci</a>,

 across builds.</span></div>

<p><br>

</p>

<p><span></span><br>

</p>

<p><span>More details about current actions being monitored are available on README. I am one of its contributors, so would be happy to talk about it.</span></p>

<p><br>

</p>

<div id="qt-Signature">

<div id="qt-divtagdefaultwrapper" dir="ltr" style="font-size:12pt;color:rgb(0, 0, 0);font-family:Calibri, Helvetica, sans-serif, "EmojiFont", "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols;">

<div id="qt-m_4935352394101912768Signature">

<div name="divtagdefaultwrapper"><span class="size" style="font-size:13px;"><span class="color" style="color:rgb(128, 128, 128);"><span style="background-color:rgb(255, 255, 255);"><span class="font" style="font-family:Arial, "Helvetica Neue", helvetica, sans-serif;"><span class="size" style="font-size:12pt;">

<div style="margin-top:0px;margin-bottom:0px;"><span style="color:rgb(0, 0, 0);"><span class="font" style="font-family:Garamond, Georgia, serif;">Regards,</span></span></div>

<div><span class="font" style="font-family:Garamond, Georgia, serif;"></span><span class="font" style="font-family:Garamond, Georgia, serif;"></span><span style="color:rgb(0, 0, 0);"></span><span class="font" style="font-family:Garamond, Georgia, serif;"></span><span class="font" style="font-family:Garamond, Georgia, serif;"></span><br>

</div>

<div style="margin-top:0px;margin-bottom:0px;"><span style="color:rgb(0, 0, 0);"><span class="font" style="font-family:Garamond, Georgia, serif;">Aman Sharma</span></span></div>

</span></span></span></span></span></div>

<div name="divtagdefaultwrapper"><span class="size" style="font-size:13px;"><span class="color" style="color:rgb(128, 128, 128);"><span style="background-color:rgb(255, 255, 255);"><span class="font" style="font-family:Arial, "Helvetica Neue", helvetica, sans-serif;"></span></span><span class="qt-im">PhD

 Student<br style="font-family:Arial, "Helvetica Neue", helvetica, sans-serif;">

<span style="background-color:rgb(255, 255, 255);"><span class="font" style="font-family:Arial, "Helvetica Neue", helvetica, sans-serif;">KTH Royal Institute of Technology</span></span><br style="font-family:Arial, "Helvetica Neue", helvetica, sans-serif;">

</span><span style="background-color:rgb(255, 255, 255);"><span class="font" style="font-family:Arial, "Helvetica Neue", helvetica, sans-serif;">School of Electrical Engineering and Computer Science (EECS)</span></span><br style="font-family:Arial, "Helvetica Neue", helvetica, sans-serif;">

<span style="background-color:rgb(255, 255, 255);"><span class="font" style="font-family:Arial, "Helvetica Neue", helvetica, sans-serif;">Department of Theoretical Computer Science (TCS)</span></span><span style="background-color:rgb(255, 255, 255);"><span class="font" style="font-family:Arial, "Helvetica Neue", helvetica, sans-serif;"><a href="http://www.kth.se" target="_blank" id="qt-LPNoLP"></a><a href="https://www.kth.se/profile/amansha" class="qt-OWAAutoLink" id="qt-LPNoLP"></a><a href="https://www.kth.se/profile/amansha" class="qt-OWAAutoLink" id="qt-LPNoLP"></a></span></span></span></span></div>

</div>

<div><a href="https://www.kth.se/profile/amansha" class="qt-OWAAutoLink" id="qt-LPNoLP"><span class="size" style="font-size:10pt;"></span></a><a href="https://algomaster99.github.io/" class="qt-OWAAutoLink" id="qt-LPNoLP">https://algomaster99.github.io/</a></div>

</div>

</div>

</div>

</blockquote>

<div><br>

</div>

<div id="sig124436424">

<div class="signature">-- </div>

<div class="signature">Arnout Engelen</div>

<div class="signature">Engelen Open Source</div>

<div class="signature"><a href="https://engelen.eu">https://engelen.eu</a></div>

</div>

<div><br>

</div>

</div>

</body>

</html>