Consider enabling immutable releases?

[kwohlfahrt]

Currently it is necessary to pin an action to a commit SHA, to avoid supply chain attacks as happened with tj-actions/changed-files last year, where all tags in the repo were changed to point to a malicious commit. The downside of this is that it isn't very readable what the current version of an action is.

GitHub's immutable releases feature is now generally available (announcement, docs). This makes it impossible to change a release or tag referenced by a release once published. Then, it would once again be safe to reference an action by tag, at least for full-length tags like v8.1.0. Short tags, like v8 are mutable by definition, so it doesn't help here.

Would it be possible to enable immutable releases for this repo?

[peter-evans]

Hi @kwohlfahrt

I will consider this for future releases (after a bit of testing). It does look like it should work fine for the tags associated with the release itself, and not interfere with the major version tags.