I spend a lot of time studying package managers, and after a while you develop an eye for things that quack like one. Plenty of tools have registries, version pinning, code that gets downloaded and executed on your behalf. But flat lists of installable things aren’t very interesting.
The quacking that catches my ear is when something develops a dependency graph: your package depends on a package that depends on a package, and now you need resolution algorithms, lockfiles, integrity verification, and some way to answer “what am I actually running and how did it get here?”
Several tools that started as plugin systems, CI runners, and chart templating tools have quietly grown transitive dependency trees. Now they walk like a package manager, quack like a package manager, and have all the problems that npm and Cargo and Bundler have spent years learning to manage, though most of them haven’t caught up on the solutions.
GitHub Actions
Registry: GitHub repos
GitHub repos Lockfile: No
No Integrity hashes: No
No Resolution algorithm: Recursive download, no constraint solving
Recursive download, no constraint solving Transitive pinning: No
No Mutable versions: Yes, git tags can be moved. Immutable releases lock tags after publication but can still be deleted
... continue reading