Lack of a "proper" Github Action prevents pinning to specific versions as hardening advice recomments.

[blowdart]

Best practice in actions these days is to pin an action to its sha commit number. This prevents problems when an attacker compromises an action and releases a newer version with dodgy code.

The github actions instructions show there's no marketplace action at all for the SBOM tool, which means you can't follow the recommended best practices for third party actions.

The instructions to just curl down the latest release present the same risk that pinning an action would avoid (assuming any action you publish also downloads a specific version, rather than just latest).

While you could reduce the risk by having sbom generation run in a separate action, and upload its own artifact that way this is a bunch of work for a lot of people which could be avoid if you'd publish a marketplace action instead. Additionally, an action would also tie into dependabot nicely, giving users a notification, and appropriate PR when a new version is published.