| ▲ | acedTrex 8 hours ago | |
You can already hardcode the sha of a given workflow in the ref, and arguably should do that anyways. | ||
| ▲ | chippiewill 8 hours ago | parent | next [-] | |
It doesn't work for transitive dependencies, so you're reliant on third party composite actions doing their own SHA locking. | ||
| ▲ | eddythompson80 8 hours ago | parent | prev [-] | |
You can also configure a policy for it [0] and there are many oss tools for auto converting your workflow into a pinned hash ones. I guess OP is upset it’s not in gh CLI? Maybe a valid feature to have there even if it’s just a nicety [0] https://github.blog/changelog/2025-08-15-github-actions-poli... | ||