top | item 46935095

(no title)

clarkdale | 22 days ago

I feel like this solution hallucinated the concept of Workflow Lock File (.lock.yml), which is not available in Github Actions. This is a missing feature that would solve the security risk of changing git tag references when calling to actions like utility@v1

discuss

woodruffw|22 days ago

I think in this context they mean “lock” as in “these are the generated contents corresponding to your source markdown,” not as in “this is a lockfile.” But I think that’s a pretty confusing overlap for them to have introduced, given that a lack of strong dependency pinning is a significant ongoing pain point in GHA.

acedTrex|22 days ago

You can already hardcode the sha of a given workflow in the ref, and arguably should do that anyways.

chippiewill|22 days ago

It doesn't work for transitive dependencies, so you're reliant on third party composite actions doing their own SHA locking.

eddythompson80|22 days ago

You can also configure a policy for it [0] and there are many oss tools for auto converting your workflow into a pinned hash ones. I guess OP is upset it’s not in gh CLI? Maybe a valid feature to have there even if it’s just a nicety

[0] https://github.blog/changelog/2025-08-15-github-actions-poli...

resquawk|22 days ago

[deleted]