Jon BanafatoWhy is it that I keep seeing "everyone should pin their GitHub Actions versions to a SHA because that's the secure way to do it" and not "GitHub should build tooling that creates and manages Actions lockfiles by default"? Am I just missing that version and only seeing the former one boosted?
Daniel Spiewak@jonafato @ross I mean I agree with what you're saying, but maybe I'm missing something, because it feels like this type of tooling is almost trivial to implement yourself if you're willing to inline the locking and add some ignored YAML.
@djspiewak Defaults matter. Why not make this work in a better and safer way out of the box?