Why you should pin your GitHub Actions by commit-hash - Basically you can avoid supply chain attacks by specifying the full commit hash of every community built action you use, for example the 'checkout' action, instead of specifying the module version. Yes that avoids the attack in the immediate term but how do you maintain your repo now? You are now tied down to the ground like Guliver. They mention using dependabot which supports version numbers in comments, but how does dependabot know the version it's promoting hasn't been compromised? And now your workflow files are full of illegible commit hashes. Supply chain tragedy. blog.rafaelgss.dev #