You can already hardcode the sha of a given workflow in the ref, and arguably should do that anyways.
It doesn't work for transitive dependencies, so you're reliant on third party composite actions doing their own SHA locking.
You can also configure a policy for it [0] and there are many oss tools for auto converting your workflow into a pinned hash ones. I guess OP is upset it’s not in gh CLI? Maybe a valid feature to have there even if it’s just a nicety
[0] https://github.blog/changelog/2025-08-15-github-actions-poli...
It doesn't work for transitive dependencies, so you're reliant on third party composite actions doing their own SHA locking.
You can also configure a policy for it [0] and there are many oss tools for auto converting your workflow into a pinned hash ones. I guess OP is upset it’s not in gh CLI? Maybe a valid feature to have there even if it’s just a nicety
[0] https://github.blog/changelog/2025-08-15-github-actions-poli...