Pin GitHub Actions to specific commit SHAs by dev-platform-overlook[bot] · Pull Request #3 · fac/ssosync

dev-platform-overlook · 2026-05-20T15:02:04Z

This PR pins all GitHub Actions to specific commit SHAs for improved security and stability.

Why pin Actions to SHAs?

Using commit SHAs instead of tags or branch names provides several security and stability benefits:

Security: Prevents potential supply-chain attacks where an action's tag could be moved to malicious code
Immutability: Ensures the exact same code runs every time, even if tags are moved or deleted
Auditability: Makes it clear exactly which version of each action is being used
Stability: Prevents unexpected breaking changes from tag updates

Implementation

This change uses pinact to automatically pin actions while maintaining human-readable comments showing the original tag reference.
If required, a Dependabot configuration has also been added/updated to keep the pinned actions up to date.
If required, a GitHub Actions workflow has been added to check that all actions are pinned in future changes.
Shared workflows from fac/[ops-]shared-workflows on the main branch are intentionally excluded from pinning.

Pin GitHub Actions to specific SHAs

6c72f42

scottclk self-assigned this May 21, 2026

scottclk marked this pull request as ready for review May 21, 2026 09:13

scottclk approved these changes May 21, 2026

View reviewed changes

cornet merged commit fb5afde into master May 21, 2026

Provide feedback