"GitHub recommends to pin an Action to a full length commit SHA as it is currently the only way to use an Action as an immutable release.

Still, only 2% of GitHub repositories fully embrace this security best practice!"

https://pin-gh-actions.kammel.dev/

#security #github #githubactions #supplychain