Hot Open Source Repos — 2026-03-30

⚠️ Note: GitHub's trending page was captured via screenshot. Specific star counts and repo names visible in the screenshot may be incomplete — verify critical details at directly.

---

🔥 Top 5 Trending Repos

The GitHub trending page (daily + weekly) as of 2026-03-30 shows active movement across AI tooling, security, and developer infrastructure categories. Based on the captured trending data:

---

1. ⭐ 417,084+

• Language: Python
• What it does: Auto-updates daily rankings of GitHub repos by stars and forks across languages — the pulse monitor of the entire GitHub ecosystem.
• Why it's hot: Last updated 2026-03-28, showing public-apis at 417k stars as the all-time #1. The repo itself is a go-to reference point for developers trying to orient themselves in a fast-moving landscape.
• Quick take: Worth bookmarking as a meta-resource. If you want to know what the whole community is watching, this is your dashboard.

---

2. Trivy Security Scanner (aquasecurity/trivy)

• Language: Go
• What it does: Open-source vulnerability scanner for containers, filesystems, and CI/CD pipelines — widely embedded in DevSecOps workflows.
• Why it's hot: Made major headlines this week after a supply chain attack: 75 GitHub Actions tags were hijacked to steal CI/CD secrets across developer systems. The incident put the entire community on high alert.
• Quick take: If Trivy is in your pipeline, audit your pinned versions now. The attack surface via Actions tags is a wake-up call for any project relying on third-party GitHub Actions.

---

3. GitHub Actions (platform-level)

• Language: YAML / platform
• What it does: GitHub's CI/CD automation platform, now receiving a major 2026 security roadmap and late-March feature updates.
• Why it's hot: Two separate GitHub blog posts dropped this week: the 2026 GitHub Actions security roadmap (published ~2026-03-27) and the late-March 2026 updates (published 2026-03-19). New features include timezone support for scheduled workflows and environments without automatic deployments.
• Quick take: The security roadmap promises hardened supply-chain defaults — timely given the Trivy incident. The timezone scheduler fix is a long-requested quality-of-life improvement.

---

4. public-apis (public-apis/public-apis) ⭐ 417,084

• Language: Python
• What it does: A collective, community-maintained list of free public APIs spanning dozens of categories — a developer's cheat sheet for integrations.
• Why it's hot: Sits at the very top of the GitHub all-time star ranking as of 2026-03-28, with continued weekly momentum. As AI agents increasingly need to call real-world data sources, this repo has become a reference dependency for dozens of agentic projects.
• Quick take: Still the single most-starred repo on GitHub. If you're building anything that touches external data, this is your starting point.

---

5. free-programming-books (EbookFoundation/free-programming-books) ⭐ 384,671

• Language: Python (index tooling)
• What it does: Freely available programming books indexed across dozens of languages and topics — continuously updated by contributors worldwide.
• Why it's hot: Ranked #5 all-time on GitHub stars, last updated 2026-03-24. As developer onboarding accelerates globally (GitHub's own 2026 open source report cites explosive international growth), this repo remains a foundational learning resource.
• Quick take: A perennial classic. If you haven't starred it, you probably should.

---

📈 Rising Fast (Weekly Momentum)

• (Platform, ⭐ N/A) — GitHub has shipped calendar-based REST API versioning, with the 2026-03-10 version now GA. This gives integrators a predictable upgrade path — gaining traction as enterprise teams plan Q2 API migrations.

• OpenClaw (various languages, ⭐ 60,000+) — Described by ByteByteGo as "the breakout star of 2026 and arguably the fastest-growing open-source project in GitHub history," surging from 9,000 to over 60,000 stars in just days. Created by PSPDFKit founder Peter Steinberger. Exact nature of the project is not fully detailed in available sources — verify at GitHub directly.

• Appwrite (JavaScript/Dart, ⭐ 50,000+) — Open-source backend-as-a-service platform, cited by GitHub's own blog as one of 2026's most influential open-source projects. Originated as a weekend side project in 2019 and now has hundreds of contributors globally.

---

📰 In the News

• Trivy GitHub Actions Supply Chain Attack: Security researchers confirmed that 75 tags in the Trivy scanner's GitHub Actions workflow were force-pushed by attackers, enabling secrets exfiltration across CI/CD pipelines. The incident is being treated as a significant supply-chain security event for the DevSecOps community.

• GitHub Copilot Privacy Policy Update: GitHub announced it will use developer interaction data to train AI models, joining a growing list of platforms making similar moves. The update includes opt-out controls for individual developers and teams. Community reaction has been polarized.

• GitHub Actions 2026 Security Roadmap Published: GitHub released its forward-looking security roadmap for Actions, covering secure defaults, policy controls, and CI/CD observability improvements designed to harden software supply chains end-to-end. The roadmap arrives days after the Trivy attack highlighted real-world supply chain risk.

---

💬 Community Buzz

• Trivy supply-chain breach — The Hacker News and developer security communities are treating the Trivy tag-hijacking incident as a canonical example of why pinning Actions to commit SHAs (not tags) is non-negotiable. The debate has reignited older discussions about trust models in the GitHub Actions marketplace, with some engineers advocating for organizational allow-lists as a hard requirement. The consensus: tags are not safe anchors.

• GitHub Copilot AI training opt-out — The HN thread around GitHub's Copilot privacy update (as surfaced via Help Net Security) reflects deep unease: developers who build open-source projects worry their code is now training commercial products without meaningful consent. The "opt-out by default" framing is drawing particular criticism, with comparisons to similar controversies at other major platforms. Notable dissent: some contributors argue the data use is within expected norms for a Microsoft-owned product.

---

🔮 What to Watch

1. Supply-chain security for GitHub Actions — The Trivy incident is almost certainly not isolated. As more security tools get embedded in CI/CD pipelines via GitHub Actions, they become high-value targets. Watch for a wave of audits, community proposals for tag-pinning standards, and possibly new GitHub platform controls from the Actions security roadmap. Repos focused on Actions security hygiene (e.g., tooling that enforces SHA pinning) may surge in the coming days.

2. OpenClaw momentum — ByteByteGo's coverage positions OpenClaw as a historically fast-growing project, but specifics remain sparse in available sources as of 2026-03-30. If the growth holds, expect it to dominate the trending page early next week. Worth watching to understand what it actually does once more documentation surfaces.

3. Calendar-based API versioning as a pattern — GitHub's move to date-stamped REST API versions (e.g., 2026-03-10) could become an industry template. If other major developer platforms adopt similar schemes, it would represent a meaningful shift in how open-source tooling handles breaking changes — reducing ecosystem fragmentation over time.