Jon Banafato3d ago
Why is it that I keep seeing "everyone should pin their GitHub Actions versions to a SHA because that's the secure way to do it" and not "GitHub should build tooling that creates and manages Actions lockfiles by default"? Am I just missing that version and only seeing the former one boosted?
Show threadCharles Tapley Hoyt
@jonafato you should check out @andrewnez on fedi and his blog, he's been writing about this topic a lot in the last few months
Mar 25 at 2:39pmWeb
Show threadAndrew Nesbitt3d ago
@cthoyt @jonafato https://nesbitt.io/2025/12/06/github-actions-package-manager.html
GitHub Actions Has a Package Manager, and It Might Be the Worst

GitHub Actions has a package manager that ignores decades of supply chain security best practices: no lockfile, no integrity verification, no transitive pinning

Andrew Nesbitt
Show threadJonathan Yu3d ago
@andrewnez @cthoyt @jonafato
Show threadJon Banafato3d ago
@andrewnez @cthoyt Thanks for the link. I appreciate your work and have read a bunch of your blog but think I missed this post. I'm not surprised that you've already written it and will share it with folks (in the hope that they are informed by it and share their own perspectives on why they want these features, too).