Security & supply chainPinning every CI action to a commit SHA is becoming the new minimum
A new write-up from the Cilium maintainers lays out a concrete playbook for locking down CI/CD dependencies — full-SHA pinning for every action, digest-pinned containers, vendored Go modules, and Renovate with a release-age cooldown. The pattern matters even if you do not ship eBPF for a living.