Skip to content

[Feature]: Consider pinning to commit hashes instead of versions #241

New issue
New issue
Open
Open
[Feature]: Consider pinning to commit hashes instead of versions#241
Assignees
k-doering-NOAA
Labels
enhancementNew feature or requesttriage_neededThis issue needs review
Milestone
1.1.0
@k-doering-NOAA

Description

@k-doering-NOAA
k-doering-NOAA
opened on Nov 14, 2025

Is your feature request related to a problem? Please describe.

Code scanning on GitHub has recently been flagging when github actions are not pinned to commit hashes. This recently has been suggested as a best security practice, but it comes at the cost of a more difficult updating process to the latest version (increased maintenance cost).

Describe the solution you would like.

Consider whether we would rather pin to version of commit hashes or not on ghactions4r. We could also consider this for our other projects that use GitHub actions.

Describe alternatives you have considered

Leave as is, pin to versions. Could consider a combination of approaches, and also consider if immutable releases are used.

Additional context

No response

Metadata

Metadata

Assignees

Labels

enhancementNew feature or requesttriage_neededThis issue needs review

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions