Add git-safe-actions to CI

leotm · leotm · commit b4467d89de56 · 2025-11-27T20:33:12.000Z
- via @lavamoat/git-safe-dependencies - prevent mutable GHA references - e.g. actions/checkout@v5 - validate GHA pinned to commit hash - e.g. actions/checkout@<hash> - ensure deterministic GHA downloads prior VM execution - (renovate config:best-practices extends helpers:pinGitHubActionDigests) Resolve: #1822
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -22,6 +22,9 @@ jobs:
       - name: Run @lavamoat/git-safe-dependencies
         run: yarn git-safe-dependencies
 
+      - name: Run @lavamoat/git-safe-dependencies (git-safe-actions)
+        run: yarn git-safe-actions
+
       - name: Compile with TypeScript
         run: yarn tsc
 
