upvote

points

by clarkdale9 hours ago |
comments
upvoteby woodruffw8 hours ago|
next
[-]
I think in this context they mean “lock” as in “these are the generated contents corresponding to your source markdown,” not as in “this is a lockfile.” But I think that’s a pretty confusing overlap for them to have introduced, given that a lack of strong dependency pinning is a significant ongoing pain point in GHA.
reply
upvoteby acedTrex9 hours ago|
prev|
next
[-]
You can already hardcode the sha of a given workflow in the ref, and arguably should do that anyways.
reply
upvoteby chippiewill8 hours ago|
parent|
next
[-]
It doesn't work for transitive dependencies, so you're reliant on third party composite actions doing their own SHA locking.
reply
upvoteby eddythompson808 hours ago|
parent|
prev|
[-]
You can also configure a policy for it [0] and there are many oss tools for auto converting your workflow into a pinned hash ones. I guess OP is upset it’s not in gh CLI? Maybe a valid feature to have there even if it’s just a nicety

[0] https://github.blog/changelog/2025-08-15-github-actions-poli...

reply
upvoteby resquawk2 hours ago|
prev|
[-]
[dead]
reply