Skip to content

piiiico/commit-action

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.github/workflows
.github/workflows
 
 
dist
dist
 
 
src
src
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
action.yml
action.yml
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 

Repository files navigation

Commit Dependency Trust

GitHub Action — scan your npm/PyPI dependencies for supply chain risk before they land in main.

Supply Chain Audit

What it does

Commit scores each dependency on behavioral commitment signals:

  • Solo maintainer + massive download volume = historically high attack target
  • New packages that spiked overnight
  • Packages with no recent releases (potentially abandoned)

CRITICAL packages share the risk profile of axios (April 2026) and LiteLLM (March 2026) — the ones that actually got exploited.

Quick start

# .github/workflows/supply-chain.yml
name: Supply Chain Audit
on:
  pull_request:
    paths: ['package.json', 'package-lock.json', 'bun.lock']

jobs:
  audit:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
      - uses: piiiico/commit-action@v1
        with:
          fail-on-critical: true   # blocks merges on CRITICAL packages
          comment-on-pr: true      # posts results as a PR comment

What you get

On every PR touching dependencies, Commit posts a comment:

Package Risk Score Maintainers Downloads/wk Age
axios 🔴 CRITICAL 86 1 100M 11.7y
zod 🔴 CRITICAL 86 1 162M 6.1y
chalk 🔴 CRITICAL 75 1 422M 12.7y

Inputs

Input Default Description
packages auto-detect Comma-separated package names (or leave empty to auto-detect from package.json)
ecosystem auto npm, pypi, or auto
fail-on-critical true Block merges when CRITICAL packages found
max-packages 20 Max packages to audit when auto-detecting
include-dev-dependencies false Include devDependencies
comment-on-pr true Post results as a PR comment (updates in place on re-run)
github-token ${{ github.token }} Token for posting PR comments

Outputs

Output Description
has-critical true if CRITICAL packages found
critical-count Number of CRITICAL packages
audit-summary Audit results as a markdown table

Badge

Add to your README:

[![Supply Chain Audit](https://img.shields.io/badge/supply%20chain-audited%20by%20Commit-purple)](https://getcommit.dev)

Why CRITICAL?

CRITICAL = sole maintainer + >10M weekly downloads.

This is the exact risk profile of every major npm supply chain attack in 2025–2026. A single maintainer account compromise poisons millions of downstream installs in hours. Commit flags these before the attack happens, not after.

Learn more at getcommit.dev

Built by Commit — behavioral commitment signals for supply chain trust.

About

GitHub Action — scan npm/PyPI dependencies for supply chain risk (sole maintainer flags, download anomalies)

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

 
 
 

Contributors

Languages