gh-actions-lockfile: generate and verify lockfiles for GitHub Actions

8 points by gjtorikian

nemith

Yet another issue from a 3.5 trillion dollar company that is solved externally. Add it to the list of no PR stacks, poor PR interfaces/performance. But hey we got Copiliot injected into every nook an cranny. So there is that.

adamcstephens

And we also need to pay for self hosted runner time starting in March.
- twm
  
  Oooof. Here's the announcement.
  - JamieTanna
    
    (I had posted this as a submission, but it was removed as off topic - I do think it's important for folks to be aware!)
- robinhundt
  
  Huh, funny, after the recent thread on GitHub actions being the worst package manger I thought about doing the exact same thing, even brainstorming it earlier before seeing this thread.
  I'll have to look into this. I'm especially interested in how it pins SHAs of composite actions.
- ashishb
  
  Comment removed by author
- ashishb
  
  Comment removed by author