Gh-actions-lockfile: generate and verify lockfiles for GitHub Actions
6 comments
·December 16, 2025tomeraberbach
Elucalidavah
Arguably, that's exactly the one action that will need to be hash-pinned, since all the consecutive actions will at least be verified against the lockfile.
silverwind
Pinning actions doesn't really work because most action dependencies are unpinned thanks to npm default behaviour of not pinning them.
Sytten
I have been banging on that drum for like 2 years now, glad the community has figured a way around it. Still utterly ridiculous that this is not native.
They even closed the immutable action issue as a "wont fix" cause you know when it's too hard we all know the best way is to give up. Not like there wasany major security incident this year due to this /s
EatFlamingDeath
I feel like at this point we should just abandon GitHub Actions altogether.
oldmancode
[dead]
Mildly ironic that the quickstart suggests starting with an unpinned action
gjtorikian/gh-actions-lockfile@v1
Presumably since it has to run first it must run unpinned?