For supply chain security it would be nice to be able to pin the pixi binary being downloaded by SHA (in combination with setting pixi-version).
One option we could do is providing the sha of https://github.com/prefix-dev/pixi/releases/download/v0.41.2/dist-manifest.json (which in turn contains all shas of pixi binaries for the corresponding platforms)
we could do something like
uses: prefix-dev/setup-pixi@v0.9.0
with:
pixi-version: v0.43.0
pixi-version-dist-sha256: 123...
Maybe also signing the pixi binaries and verifying the signature in this action could be interesting, wdyt @wolfv?
For supply chain security it would be nice to be able to pin the pixi binary being downloaded by SHA (in combination with setting pixi-version).
One option we could do is providing the sha of https://github.com/prefix-dev/pixi/releases/download/v0.41.2/dist-manifest.json (which in turn contains all shas of pixi binaries for the corresponding platforms)
we could do something like
Maybe also signing the pixi binaries and verifying the signature in this action could be interesting, wdyt @wolfv?