alt Hacker NewsYou lose vulnerability alerts, on GitHub. This is a (ridiculous, IMO) platform limitation that GitHub could lift by applying more engineering time to Dependabot and Dependabot's integrated security alerts feature.
zizmor (and other tools) correctly recovers vulnerability information for SHA-pinned actions[1].
[1]: https://docs.zizmor.sh/audits/#known-vulnerable-actions
I agree, silly limitation.
On zizmor, there's no mention of coverage on commit SHA the section you've linked, nor in the entire page when I do Ctrl+F. Is there anything I'm missing?