alt Hacker NewsThere are downsides to it though. You... - lose vulnerability alerts - increase maintenance overhead - take on all that for value that will go to 0 once Immutable Releases gets widely adopted
I wrote a couple of blog posts on it, and a makeshift way of tackling that https://developerwithacat.com/blog/202604/github-actions-sup...
Replies
baby_souffle • today at 8:09 PM
The maintenance aspect is relatively straightforward to automate.
Renovate handles this well. Ratchet and pinact can also be used
➕ show 1 reply
You lose vulnerability alerts, on GitHub. This is a (ridiculous, IMO) platform limitation that GitHub could lift by applying more engineering time to Dependabot and Dependabot's integrated security alerts feature.
zizmor (and other tools) correctly recovers vulnerability information for SHA-pinned actions[1].
[1]: https://docs.zizmor.sh/audits/#known-vulnerable-actions