Agreed. Good news is GitHub will address that with Immutable Releases https://github.blog/news-insights/product-news/whats-coming-... You won't even need to use commit SHA as long as the maintainer follows this approach.

What an absolute joke that it has taken GitHub this long to clean up it's act when it comes to supply chain security.

The actions/checkout repo still doesn't even use immutable releases so I'll believe it when I see it

	▲	mmarian 13 hours ago \| parent [-]
		Yes, it's maddening. Especially since it's a fair amount of effort to move to commit SHA pinning and establish a good maintenance/monitoring process around it; if I knew it would be adopted quickly, I could argue that people should just wait and accept temporary risk.