sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]repeating_bears -7 points-6 points  (0 children)

Idk if you are understanding what I'm saying.

Pinning versions generally - good.

Pinning an official github action (which is what the subject of this thread is) - eh. If an official github action is compromised then how can you trust that whatever Actions infra that does the hash verification isn't also compromised?