dorny
Feature request: enable immutable releases
GitHub has recently launched a feature to allow immutable releases; I think this could be helpful in cases where people want some level of assurance that they can fix and receive the same software/code/component when running processes that use version numbers over time: https://github.blog/changelog/2025-10-28-immutable-releases-are-now-generally-available/
I'd like to request for dorny/paths-filter to opt into that; as an alternative, I've pinned a version of it in a workflow file -- but today I learned that using pin-hashing prevents Dependabot Alerts from detecting vulnerable action versions in workflow files.
(I realise that second paragraph may seem tangential -- the reason I mention it is because I'd like assurance that both Dependabot Alerts could detect vulnerabilities in this action, and also that there would be assurance that deliberately-selected software versions would not change unexpectedly)
Thank you!
Refs:
- Documentation: limitations of Dependabot Alerts vulnerability detection: https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#detection-of-insecure-dependencies
- Discussion: community feature request for Dependabot Alerts to detect vulnerable hash-pinned components: https://github.com/orgs/community/discussions/154189
