Ability to pin pixi binary by SHA #177
Description
For supply chain security it would be nice to be able to pin the pixi binary being downloaded by SHA (in combination with setting pixi-version).
One option we could do is providing the sha of https://github.com/prefix-dev/pixi/releases/download/v0.41.2/dist-manifest.json (which in turn contains all shas of pixi binaries for the corresponding platforms)
we could do something like
uses: prefix-dev/[email protected]
with:
pixi-version: v0.43.0
pixi-version-dist-sha256: 123...Maybe also signing the pixi binaries and verifying the signature in this action could be interesting, wdyt @wolfv?