laurentsimon

cc @josepalafox

I think I missed an important requirement in my initial feature description: third-party actions are not allowed in the workflow, it seems. So we may simplify the feature by simply...

follow-up: some users may still want to pin by hash the GitHub actions that are used in the workflow. So my original description is still relevant.

Please don't close this issue, @github-actions bot!

sure, here are some examples: https://github.com/actions/starter-workflows/blob/main/code-scanning/apisec-scan.yml#L56 https://github.com/actions/starter-workflows/blob/main/code-scanning/scorecards.yml#L30 In accordance with https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions, `Pin actions to a full length commit SHA`. Note that it would be even better if GitHub supported `[email protected]:the_hash`...

Right. My feature request is the following: every time an action workflow releases a new version, they need to send a PR to this repo to upload the hash pin....

What you describe only happens at first installation, so it's low risk. This is the way *everything* works today: package managers do this: on first installation you must trust the...

what do you mean by "testing done by package managers"? "these third party actions will have access" I'm only suggesting a "pin variable" for the "main" action defined in the...

For discussion on the use of tag vs hash pinning, please see https://github.com/actions/starter-workflows/pull/1600

/cc @josepalafox