actions
Use immutable GitHub release feature
It's best practice to use immutable releases so that the tag cannot be rewritten by an attacker https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/immutable-releases
Are immutable releases already enabled for this action/repository?
In the GitHub blog post announcing the feature, there is a screenshot of a v2.0.1 release of some component, and within that image there's a padlock adjacent to the word Immutable. However: I am not certain if that web UI is already live on GitHub, or whether it is solely for promotional purposes with the blogpost.
Ref: https://github.blog/changelog/2025-10-28-immutable-releases-are-now-generally-available/
Are immutable releases already enabled for this action/repository?
In the GitHub blog post announcing the feature, there is a screenshot of a v2.0.1 release of some component, and within that image there's a padlock adjacent to the word
Immutable. However: I am not certain if that web UI is already live on GitHub, or whether it is solely for promotional purposes with the blogpost.Ref: https://github.blog/changelog/2025-10-28-immutable-releases-are-now-generally-available/
Immutable releases are not in use for this repo yet, the GitHub UI change is live. On the releases and tags pages it will show a lock icon that says Immutable. You can see an example of them in use for systemd https://github.com/systemd/systemd/tags
Ok, thank you @codygarver. I have read in a separate, zizmor discussion thread that in fact the actions/* namespace is immutable, but if so, it seems that that is via a different, less-visible mechanism. Thank you for providing an independent confirmation of the padlock+immutable status does appear on GitHub already.