I feel like this solution hallucinated the concept of Workflow Lock File (.lock.yml), which is not available in Github Actions. This is a missing feature that would solve the security risk of changing git tag references when calling to actions like utility@v1

▲

woodruffw 8 hours ago | parent | next [-]

I think in this context they mean “lock” as in “these are the generated contents corresponding to your source markdown,” not as in “this is a lockfile.” But I think that’s a pretty confusing overlap for them to have introduced, given that a lack of strong dependency pinning is a significant ongoing pain point in GHA.

▲

acedTrex 8 hours ago | parent | prev | next [-]

You can already hardcode the sha of a given workflow in the ref, and arguably should do that anyways.

	▲	chippiewill 8 hours ago \| parent \| next [-]
		It doesn't work for transitive dependencies, so you're reliant on third party composite actions doing their own SHA locking.
	▲	eddythompson80 8 hours ago \| parent \| prev [-]
		You can also configure a policy for it [0] and there are many oss tools for auto converting your workflow into a pinned hash ones. I guess OP is upset it’s not in gh CLI? Maybe a valid feature to have there even if it’s just a nicety [0] https://github.blog/changelog/2025-08-15-github-actions-poli...

▲

resquawk 2 hours ago | parent | prev [-]

[dead]