[hybirdss]

just went through all my github actions and pinned them to commit SHAs after reading this. same problem — if someone pushes to @main your CI blindly runs it. auto-update anything is basically handing someone a key to your house and hoping they stay nice forever

[eviks]

Fyi you can add zizmor that warns about things like this and add a repo config that futures shas so that a mistake can't happen in the future (but not sure if you can have the setting globally)

[hybirdss]

nice, gonna run that on the repo tonight. the manual sha pinning approach was always going to be the kind of thing i'd forget after the next dependabot bump