alt Hacker Newsjust went through all my github actions and pinned them to commit SHAs after reading this. same problem — if someone pushes to @main your CI blindly runs it. auto-update anything is basically handing someone a key to your house and hoping they stay nice forever
Fyi you can add zizmor that warns about things like this and add a repo config that futures shas so that a mistake can't happen in the future (but not sure if you can have the setting globally)