It doesn't work for transitive dependencies, so you're reliant on third party composite actions doing their own SHA locking.

You can also configure a policy for it [0] and there are many oss tools for auto converting your workflow into a pinned hash ones. I guess OP is upset it’s not in gh CLI? Maybe a valid feature to have there even if it’s just a nicety

[0] https://github.blog/changelog/2025-08-15-github-actions-poli...