Pin GitHub Actions to specific commit SHAs

.github/dependabot.yml

@@ -1,13 +1,18 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
-
 version: 2
 updates:
-  - package-ecosystem: "bundler" # See documentation for possible values
-    directory: "/" # Location of package manifests
+  - package-ecosystem: bundler
+    directory: "/"
     schedule:
-      interval: "weekly"
+      interval: weekly
     cooldown:
       default-days: 7
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: daily
+    rebase-strategy: disabled
+    open-pull-requests-limit: 10
+    cooldown:
+      default-days: 7
+      exclude:
+        - fac/*

.github/workflows/actionlint.yml

@@ -50,8 +50,8 @@ jobs:
           }' --jq '.data.repository.object.associatedPullRequests.nodes[].number')"
           echo "number=$pr_number" >> "$GITHUB_OUTPUT"
 
-      - uses: actions/checkout@v3
-      - uses: reviewdog/action-actionlint@v1.37.1
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - uses: reviewdog/action-actionlint@7485c2136bd093d2317a854c72910eebaee35238 # v1.37.1
         if: ${{ ! steps.pr.outputs.number }}
         with:
           fail_on_error: true

.github/workflows/check-pinned-actions.yml

@@ -0,0 +1,11 @@
+name: Check actions have their versions pinned
+
+on:
+  push:
+    paths:
+      - '.github/workflows/*.yml'
+      - '.github/workflows/*.yaml'
+
+jobs:
+  pinact:
+    uses: fac/shared-workflows/.github/workflows/check_pinned_actions.yml@main

.github/workflows/freeagent-gem.yml

@@ -14,8 +14,8 @@ jobs:
       contents: write
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: ruby/setup-ruby@v1
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
         with:
           bundler-cache: true
 
@@ -28,8 +28,8 @@ jobs:
 
       - name: Create a Pre-release
         if: ${{ github.ref != 'refs/heads/master' && steps.is_prerelease.outputs.is_prerelease == 'true' }}
-        uses: rubygems/release-gem@v1
+        uses: rubygems/release-gem@f0d7faff26625599a847d40d9fa28ace24c2aacc # v1
 
       - name: Create a Release
         if: ${{ github.ref == 'refs/heads/master' && steps.is_prerelease.outputs.is_prerelease == 'false' }}
-        uses: rubygems/release-gem@v1
+        uses: rubygems/release-gem@f0d7faff26625599a847d40d9fa28ace24c2aacc # v1

.github/workflows/tests.yml

@@ -8,8 +8,8 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: ruby/setup-ruby@v1
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
         with:
           bundler-cache: true
 

.pinact.yaml

@@ -0,0 +1,4 @@
+version: 3
+ignore_actions:
+  - name: fac/.*
+    ref: ^main$