Distinguishing immutable from mutable actions as a consumer #216
Description
The README shows the following example for consuming an immutable action:
Consumers of your action will then be able to specify that version to consume your action from the package, e.g.
- uses: your-name/your-action@v1.2.3- uses: your-name/your-action@v1
This is indistinguishable from the existing syntax for mutable actions, which I assume is for backwards compatibility reasons.
Is there anyway for a consumer or analysis tool to know what security guarantees to expect from an action (e.g. if pinning to a SHA is necessary for immutability)?