Monitoring reproducibility of GitHub Actions

Arnout Engelen arnout at bzzt.net
Thu Apr 16 16:23:47 UTC 2026 

Hi,

Nice!

At the ASF, we explicitly allowlist action versions, and recently started checking actions with 'compiled' javascript for reproducibility before allowlisting. You can read more about this at https://github.com/apache/infrastructure-actions?tab=readme-ov-file#management-of-organization-wide-github-actions-allow-list, in particular https://github.com/apache/infrastructure-actions/tree/main/utils/verify_action_build and https://github.com/apache/infrastructure-actions/blob/main/.github/workflows/verify_dependabot_action.yml.

This already led to https://github.com/SonarSource/sonarqube-scan-action/pull/228 .

Will definitely keep your projects in mind when we plan to extend that!


Kind regards,

Arnout

On Thu, Apr 16, 2026, at 18:02, Aman Sharma via rb-general wrote:
> Hi all,
> 
> 
> 
> 
> 
> I wanted to briefly share a project from our group at KTH Royal Institute of Technology. Eric Cornelissen <https://www.ericcornelissen.dev/>, a PhD student in our CHAINS <https://chains.proj.kth.se/> group, is maintaining an open-source project that monitors the reproducibility of GitHub Actions:
> https://github.com/ericcornelissen/reproducing-actions
> 
> 
> 
> The goal of the project is to assess whether GitHub Actions can be reproduced. Currently, it focuses on two types of Actions: JavaScript-based actions and Docker-based actions (composite actions are not considered). For JavaScript actions, the project rebuilds the distributed files and compares them bit-by-bit with the repository contents. For Docker actions, it rebuilds images from the Dockerfile and checks for semantic equivalence, using https://github.com/reproducible-containers/diffoci, across builds.
> 
> 
> 
> 
> More details about current actions being monitored are available on README. I am one of its contributors, so would be happy to talk about it.
> 
> 
> 
> Regards,
> 
> Aman Sharma
> PhD Student
> KTH Royal Institute of Technology
> School of Electrical Engineering and Computer Science (EECS)
> Department of Theoretical Computer Science (TCS) <http://www.kth.se> <https://www.kth.se/profile/amansha> <https://www.kth.se/profile/amansha>
 <https://www.kth.se/profile/amansha>https://algomaster99.github.io/

-- 
Arnout Engelen
Engelen Open Source
https://engelen.eu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20260416/4d5362ab/attachment.htm>

More information about the rb-general mailing list