{
  "$type": "site.standard.document",
  "description": "GitHub Actions has a package manager that ignores decades of supply chain security best practices: no lockfile, no integrity verification, no transitive pinning",
  "path": "/2025/12/06/github-actions-package-manager.html",
  "publishedAt": "2025-12-06T10:00:00.000Z",
  "site": "at://did:plc:q3moczhdry2263q35ffqqzs5/site.standard.publication/3mnkktcb4vt2j",
  "tags": [
    "package-managers",
    "github",
    "git"
  ],
  "title": "GitHub Actions Has a Package Manager, and It Might Be the Worst"
}