Gh-actions-lockfile: generate and verify lockfiles for GitHub Actions

A new open-source tool, gh-actions-lockfile, promises to “lock down” GitHub automation by freezing every action to an exact code fingerprint and adding an integrity check. In plain English: it writes a list that says “use this exact version, and make sure no one swapped it.” The vibe? Immediate irony. As tomeraberbach put it, the quickstart itself uses an unpinned action — the security lock that arrives… unlocked. Cue jokes about a tool that must run unpinned to pin everything else. The mood turns spicy fast. “Why isn’t this native?” asks Sytten, lamenting GitHub’s closed “immutable actions” request as a “won’t fix” and invoking this year’s security scares with a sarcastic “/s.” Others swing the hammer at the foundation: silverwind says pinning doesn’t really work if most of an action’s internal stuff isn’t pinned anyway (thanks to npm’s defaults), while hanspagel calls the whole thing a “tiny patch on a big wound,” arguing it still doesn’t prove the downloaded code is unchanged. Meanwhile, oldmancode strolls in with a recommendation: pinact works great, turning the thread into a shopping aisle for lock tools. The comment section is a mix of hope, skepticism, and meme energy: lock the locks, trust but verify, and a lot of “do it properly, GitHub.”