[baobun]

This is the way to do it.

Pin by hash.

Verify that the actions themselves aren't pulling in unpinned dependencies from Actions, NPM, or elsewhere.

Have a CI job or bot create PRs for new versions. Verify those PRs before merging.

If any particular action becomes a recurring chore or risk, consider if you should keep depending on it.

If you do these things, the "we need a package manager" is moot and most if not all of the concerns in that blog post don't affect you.

[larusso]

I don’t want to throw process at the problem. I think GH should provide a better system not the developers locking down dependencies and adding extra processes and steps to update the CI via a PR workflow. Not like PRs became the development bottleneck anyways for a lot of development teams these days. I wonder how we functioned 15 years ago with trunk based YOLO development. I also think that it wasn’t the best idea to base versioning on mutable branches and not introduce a registry in the middle. Think about it. The whole system is build on node anyways. But we pull “dependencies” via a weak git clone system.