Arguably, that's exactly the one action that will need to be hash-pinned, since all the consecutive actions will at least be verified against the lockfile.
From what I see, this does not help with pinning the dependencies and it doesn’t verify the downloaded action has the same content as it used to have. In other words, this is a tiny patch on a big wound.
We use commit hashes to pin actions, have the version as a comment (e.g # v4) and renovate will keep both up to date in the PRs.
And there is a more or less recently added repository setting to require actions to be pinned to hashes.
I have been banging on that drum for like 2 years now, glad the community has figured a way around it. Still utterly ridiculous that this is not native.
They even closed the immutable action issue as a "wont fix" cause you know when it's too hard we all know the best way is to give up. Not like there wasany major security incident this year due to this /s
gjtorikian/gh-actions-lockfile@v1
Presumably since it has to run first it must run unpinned?
We use commit hashes to pin actions, have the version as a comment (e.g # v4) and renovate will keep both up to date in the PRs.
And there is a more or less recently added repository setting to require actions to be pinned to hashes.
Just pin your actions to shasum
They even closed the immutable action issue as a "wont fix" cause you know when it's too hard we all know the best way is to give up. Not like there wasany major security incident this year due to this /s