[acedTrex]

You can already hardcode the sha of a given workflow in the ref, and arguably should do that anyways.

[chippiewill]

It doesn't work for transitive dependencies, so you're reliant on third party composite actions doing their own SHA locking.

[eddythompson80]

You can also configure a policy for it [0] and there are many oss tools for auto converting your workflow into a pinned hash ones. I guess OP is upset it’s not in gh CLI? Maybe a valid feature to have there even if it’s just a nicety

[0] https://github.blog/changelog/2025-08-15-github-actions-poli...