Publish as immutable action

[JamieMagee]

Immutable actions are a way to publish custom GitHub Actions as OCI artifacts in the GitHub container registry, as opposed to git refs. They give some better security guarantees than existing actions:

• Provenance attestations generated using the @actions/attest package
• Tag immutability - it will not be possible to overwrite tags once published, ensuring versions of an action can't change once in use
• Namespace immutability - it will not be possible to delete and recreate the package with different content; this would undermine tag immutability

Currently, immutable actions are in preview, but I think it's worth investigating.

References:

• Immutable Actions [GA] github/roadmap#592
• https://github.com/actions/publish-immutable-action

[spencerschrock]

See also, actions/publish-immutable-action#216 I'm curious how we would detect them.

whoops, thought this was the scorecard repo, not the action

[JamieMagee]

I have a solution for that!

EDIT: commented in the linked issue