Code scanning incompatible with action commit SHA pinning enforcement

[outloudvi]

Why are you starting this discussion?

Product Feedback

What GitHub Actions topic or product is this about?

Misc

Discussion Details

GitHub Actions recently add a switch: "Require actions to be pinned to a full-length commit SHA". The switch is cool on security as this is a great way to enforce predictable action runs.

This feature, however, isn't compatible with code scanning. When I want to enable code scanning, I receive such notice:

Code scanning with GitHub Actions is not available for this repository.
GitHub Actions policy is limiting the use of some required actions. To use code scanning, allow actions from actions/* and github/codeql-action/* in your policy, or submit code scanning results externally using the API.