On Mon, 22 Jun 2026 08:50:17 GMT, Aleksey Shipilev <[email protected]> wrote:

> I agree with "update" part. Why do we need to pin? That blocks us from 
> getting rolling updates to these actions.

Not pinning leaves space for supply chain attacks. As described here, for 
example: https://blog.rafaelgss.dev/why-you-should-pin-actions-by-commit-hash

-------------

PR Comment: https://git.openjdk.org/jdk/pull/31603#issuecomment-4766585586

Reply via email to