I feel like this solution hallucinated the concept of Workflow Lock File (.lock.yml), which is not available in Github Actions. This is a missing feature that would solve the security risk of changing git tag references when calling to actions like utility@v1
I think in this context they mean “lock” as in “these are the generated contents corresponding to your source markdown,” not as in “this is a lockfile.” But I think that’s a pretty confusing overlap for them to have introduced, given that a lack of strong dependency pinning is a significant ongoing pain point in GHA.
You can already hardcode the sha of a given workflow in the ref, and arguably should do that anyways.
It doesn't work for transitive dependencies, so you're reliant on third party composite actions doing their own SHA locking.
You can also configure a policy for it [0] and there are many oss tools for auto converting your workflow into a pinned hash ones. I guess OP is upset it’s not in gh CLI? Maybe a valid feature to have there even if it’s just a nicety
[0] https://github.blog/changelog/2025-08-15-github-actions-poli...
[dead]