Tools like GitHub Actions, Ansible Galaxy, Terraform modules, and Helm charts have quietly evolved into de facto package managers by developing transitive dependency trees. Yet most lack the security features mature package managers have built over years: lockfiles, integrity hashes, immutable version references, and full-tree pinning. The post analyzes each tool's registry, lockfile support, resolution algorithm, and mutability guarantees, then catalogs real supply chain incidents (e.g., the tj-actions/changed-files attack affecting 23,000 repos) that resulted from these gaps. The core argument: once a tool supports transitive execution, it inherits all package manager problems whether it calls itself one or not, and ignoring that reality invites supply chain attacks.
Table of contents
GitHub Actions #Ansible Galaxy #Terraform providers and modules #Helm charts #If it has transitive execution, it’s a package manager #Sort: