alt Hacker News> The practical fix for the first problem is pinning to a full commit hash instead of a tag name
If the underlying project in turn uses named tags, i.e. if the hash pinning doesn't apply transitively, then the protection appears incomplete, doesn't it?
Correct. As an attacker you just move one level deeper.
If the target pins their direct actions to commit hashes you compromise a dependency of the action instead. They pinned the top of the tree but you own something in the middle of it.
SolarWinds was not attacked directly. The attackers compromised Orion, a build tool SolarWinds depended on. SolarWinds had decent security on their own code. It did not matter because the attack came through a dependency they trusted and did not control.
The defender has to secure the entire chain. The attacker only has to find one weak link anywhere in it. That asymmetry is why supply chain attacks keep working.