| ▲ | woodruffw 2 hours ago | |
See also pinact[1], gha-update[2], and zizmor's unpinned-uses[3]. The main desiderata with these kinds of action pinning tools is that they (1) leave a tag comment, (2) leave that comment in a format that Dependabot and/or Renovate understands for bumping purposes, and (3) actually put the full tag in the comment, rather than the cutesy short tag that GitHub encourages people to make mutable (v4.x.y instead of v4). [1]: https://github.com/suzuki-shunsuke/pinact | ||