Hamburger Cross Icon
No Mutable Refs
+
GitHub Actions Collector

No Mutable Refs + GitHub Actions Collector

Guardrail Collector Beta Devex Build And Ci

Enforce No Mutable Refs using data collected by GitHub Actions Collector. Automatically check devex build and ci standards on every PR.

Guardrail: Ensures no third-party CI dependencies reference mutable refs like @main, @master, or @latest. Reads from normalized .ci.dependencies.
Data Source: Parses and lints GitHub Actions workflow files. Extracts structured data from every workflow (triggers, jobs, action references), runs actionlint for syntax and type checking, and classifies version pinning status for all third-party action references.
Get Started View on GitHub

How GitHub Actions Collector Powers This Guardrail

The GitHub Actions Collector gathers metadata from your systems. This data flows into Lunar's Component JSON, where the No Mutable Refs guardrail evaluates it against your standards.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement with actionable feedback.

1
GitHub Actions Collector Gathers Data Collector
Extracts metadata from code, configs, and tool outputs
2
{ } Component JSON
Data centralized in structured format for evaluation
3
No Mutable Refs Checks Guardrail
Pass/fail result with actionable feedback in PRs

Quick Start Configuration

Add both the collector and policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml 
# Step 1: Enable the GitHub Actions Collector
collectors:
  - uses: github://earthly/lunar-lib/collectors/github-actions@v1.0.5
    # with: ...

# Step 2: Enable the CI Guardrails
policies:
  - uses: github://earthly/lunar-lib/policies/ci@v1.0.5
    include: [no-mutable-refs]
    # with: ...

What GitHub Actions Collector Collects

This collector gathers the following data that the No Mutable Refs guardrail evaluates.

Collector code

workflows

Parses all GitHub Actions workflow files in .github/workflows/, runs actionlint for lint errors, and classifies action version pinning (SHA, tag, branch, unpinned) for supply-chain hygiene.

Example Data Flow

Here's an example of the data that GitHub Actions Collector writes to the Component JSON, which No Mutable Refs then evaluates.

{ } component.json From GitHub Actions Collector 
{
  "ci": {
    "lint": {
      "source": { "tool": "actionlint", "version": "1.7.7", "integration": "code" },
      "errors": [
        {
          "file": ".github/workflows/ci.yml",
          "line": 42,
          "column": 9,
          "message": "property \"unknown_field\" is not defined",
          "rule": "syntax-check"
        }
      ],
      "error_count": 1,
      "warning_count": 0
    },
    "dependencies": {
      "source": { "tool": "github-actions", "version": "0.1.0", "integration": "code" },
      "total": 3,
      "pinned": 2,
      "unpinned": 1,
      "items": [
        { "name": "actions/checkout", "ref": "abc123def456", "pinning": "sha", "party": "1st" },
        { "name": "docker/build-push-action", "ref": "v5.1.0", "pinning": "tag", "party": "3rd" },
        { "name": "docker/login-action", "ref": "main", "pinning": "branch", "party": "3rd" }
      ],
      "third_party_unpinned": ["docker/login-action@main"]
    },
    "native": {
      "github_actions": {
        "source": { "tool": "github-actions", "version": "0.1.0", "integration": "code" },
        "workflows": [
          {
            "file": ".github/workflows/ci.yml",
            "name": "CI",
            "triggers": ["push", "pull_request"],
            "jobs": {
              "build": {
                "steps": [
                  { "uses": "actions/checkout@abc123def456", "with": { "persist-credentials": false } },
                  { "run": "make build" }
                ]
              },
              "test": {
                "steps": [
                  { "uses": "actions/checkout@abc123def456" },
                  { "run": "make test" }
                ]
              }
            },
            "permissions": { "contents": "read" },
            "actions": [
              { "uses": "actions/checkout@abc123def456", "pinning": "sha", "party": "1st" },
              { "uses": "docker/build-push-action@v5.1.0", "pinning": "tag", "party": "3rd" },
              { "uses": "docker/login-action@main", "pinning": "branch", "party": "3rd" }
            ]
          }
        ]
      }
    }
  }
}

Other Guardrails Using GitHub Actions Collector

Other guardrails in CI Guardrails that use data from GitHub Actions Collector.

Guardrail + GitHub Actions
Lint Clean

Ensures no lint errors across CI configuration files. Reads from the normalized .ci.lint path —...
Guardrail + GitHub Actions
Dependencies Pinned

Verifies all third-party CI dependencies use SHA or tag pins, not branch refs. Reads from the...

Learn More

Guardrail · CI Guardrails No Mutable Refs View all compatible integrations
Collector GitHub Actions Collector View full documentation

Ready to Automate Your Standards?

See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process
check AI agent rules & prompt files
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Automate Now
Paste your AGENTS.md or manual process doc and get guardrails in minutes
Book a Demo