Jon Banafato3d ago
Why is it that I keep seeing "everyone should pin their GitHub Actions versions to a SHA because that's the secure way to do it" and not "GitHub should build tooling that creates and manages Actions lockfiles by default"? Am I just missing that version and only seeing the former one boosted?
Show threadCharles Tapley Hoyt3d ago
@jonafato you should check out @andrewnez on fedi and his blog, he's been writing about this topic a lot in the last few months
Show threadAndrew Nesbitt3d ago
@cthoyt @jonafato https://nesbitt.io/2025/12/06/github-actions-package-manager.html
GitHub Actions Has a Package Manager, and It Might Be the Worst

GitHub Actions has a package manager that ignores decades of supply chain security best practices: no lockfile, no integrity verification, no transitive pinning

Andrew Nesbitt
Show threadJonathan Yu
@andrewnez @cthoyt @jonafato
Mar 25 at 2:47pmWeb