Feature Request: Improve compatibility with SHA pinning best practices #514
Description
Is your feature request related to a problem? Please describe.
With recent security escalations around unpinned SHAs and non-immutable release tags, the best practice in many orgs (and the best practice recommended by GitHub) is to hard-pin to SHA releases instead of semver refs.
However, this creates some issues in terms of readability and updates that otherwise would be nicely streamlined by this VS Code extension.
Describe the solution you'd like
- If the action is pinned to a SHA that is the same as a published semver tag, ideally that semver version would be shown inline in the extension annotation.
- If the user is pinned to a SHA and they click on the option to upgrade to the latest version, the extension would ideally recognize they are SHA-pinned and give them a SHA-pinned upgrade to that tag, rather than move to only pinning to the semver.
- If the user is pinned to a semver ref, the UI could give them an option to pin instead to the SHA ref that represents the latest from that semver. This could help users migrate to SHA-pinned references.
(Note: While both proposal 2 and proposal 3 are valuable together, they solve a similar problem. If proposal 3 is delivered, proposal 2 is less needed, and vice versa.)
Additional context
I think these features could go a long way to helping modernize GitHub Actions security, and make it more convenient for people keep their workflows safe (read: "safer") from exploits. Thanks!