logoalt Hacker News

clarkdaleyesterday at 3:28 PM3 repliesview on HN

I feel like this solution hallucinated the concept of Workflow Lock File (.lock.yml), which is not available in Github Actions. This is a missing feature that would solve the security risk of changing git tag references when calling to actions like utility@v1

Replies

woodruffwyesterday at 4:17 PM

I think in this context they mean “lock” as in “these are the generated contents corresponding to your source markdown,” not as in “this is a lockfile.” But I think that’s a pretty confusing overlap for them to have introduced, given that a lack of strong dependency pinning is a significant ongoing pain point in GHA.

acedTrexyesterday at 3:55 PM

You can already hardcode the sha of a given workflow in the ref, and arguably should do that anyways.

show 2 replies
resquawkyesterday at 10:30 PM

[dead]