1 post · clear filter ×
I lock every GitHub Action to its commit SHA instead of a mutable tag, then let Dependabot keep the pins current. Here's why a tag alone isn't enough.