From f9878b563d7f32a060842e35d27e05f1aa77f6ce Mon Sep 17 00:00:00 2001
From: Duncan Smith <duncan.smith@freeagent.com>
Date: Wed, 27 May 2026 15:28:59 +0100
Subject: [PATCH] Pin GitHub Actions to specific SHAs

---
 .github/dependabot.yml                     | 21 +++++++++++++--------
 .github/workflows/actionlint.yml           |  4 ++--
 .github/workflows/check-pinned-actions.yml | 11 +++++++++++
 .github/workflows/freeagent-gem.yml        |  8 ++++----
 .github/workflows/tests.yml                |  4 ++--
 .pinact.yaml                               |  4 ++++
 6 files changed, 36 insertions(+), 16 deletions(-)
 create mode 100644 .github/workflows/check-pinned-actions.yml
 create mode 100644 .pinact.yaml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 48f6ef0..311dea4 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,13 +1,18 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
-
 version: 2
 updates:
-  - package-ecosystem: "bundler" # See documentation for possible values
-    directory: "/" # Location of package manifests
+  - package-ecosystem: bundler
+    directory: "/"
     schedule:
-      interval: "weekly"
+      interval: weekly
     cooldown:
       default-days: 7
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: daily
+    rebase-strategy: disabled
+    open-pull-requests-limit: 10
+    cooldown:
+      default-days: 7
+      exclude:
+        - fac/*
diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
index 3a27a46..4a90563 100644
--- a/.github/workflows/actionlint.yml
+++ b/.github/workflows/actionlint.yml
@@ -50,8 +50,8 @@ jobs:
           }' --jq '.data.repository.object.associatedPullRequests.nodes[].number')"
           echo "number=$pr_number" >> "$GITHUB_OUTPUT"
 
-      - uses: actions/checkout@v3
-      - uses: reviewdog/action-actionlint@v1.37.1
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - uses: reviewdog/action-actionlint@7485c2136bd093d2317a854c72910eebaee35238 # v1.37.1
         if: ${{ ! steps.pr.outputs.number }}
         with:
           fail_on_error: true
diff --git a/.github/workflows/check-pinned-actions.yml b/.github/workflows/check-pinned-actions.yml
new file mode 100644
index 0000000..5a35d27
--- /dev/null
+++ b/.github/workflows/check-pinned-actions.yml
@@ -0,0 +1,11 @@
+name: Check actions have their versions pinned
+
+on:
+  push:
+    paths:
+      - '.github/workflows/*.yml'
+      - '.github/workflows/*.yaml'
+
+jobs:
+  pinact:
+    uses: fac/shared-workflows/.github/workflows/check_pinned_actions.yml@main
diff --git a/.github/workflows/freeagent-gem.yml b/.github/workflows/freeagent-gem.yml
index 3e70639..d6f0f31 100644
--- a/.github/workflows/freeagent-gem.yml
+++ b/.github/workflows/freeagent-gem.yml
@@ -14,8 +14,8 @@ jobs:
       contents: write
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: ruby/setup-ruby@v1
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
         with:
           bundler-cache: true
 
@@ -28,8 +28,8 @@ jobs:
 
       - name: Create a Pre-release
         if: ${{ github.ref != 'refs/heads/master' && steps.is_prerelease.outputs.is_prerelease == 'true' }}
-        uses: rubygems/release-gem@v1
+        uses: rubygems/release-gem@f0d7faff26625599a847d40d9fa28ace24c2aacc # v1
 
       - name: Create a Release
         if: ${{ github.ref == 'refs/heads/master' && steps.is_prerelease.outputs.is_prerelease == 'false' }}
-        uses: rubygems/release-gem@v1
+        uses: rubygems/release-gem@f0d7faff26625599a847d40d9fa28ace24c2aacc # v1
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index be05630..00ebbf1 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -8,8 +8,8 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: ruby/setup-ruby@v1
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
         with:
           bundler-cache: true
 
diff --git a/.pinact.yaml b/.pinact.yaml
new file mode 100644
index 0000000..6c1a9d3
--- /dev/null
+++ b/.pinact.yaml
@@ -0,0 +1,4 @@
+version: 3
+ignore_actions:
+  - name: fac/.*
+    ref: ^main$