From 6905fea90893383763542e575c10660638e41708 Mon Sep 17 00:00:00 2001
From: Duncan Smith <duncan.smith@freeagent.com>
Date: Wed, 20 May 2026 16:02:10 +0100
Subject: [PATCH] Pin GitHub Actions to specific SHAs

---
 .github/dependabot.yml                     | 11 +++++++++++
 .github/workflows/check-pinned-actions.yml | 11 +++++++++++
 .github/workflows/lint.yaml                |  8 ++++----
 .github/workflows/test.yaml                |  4 ++--
 .pinact.yaml                               |  5 +++++
 5 files changed, 33 insertions(+), 6 deletions(-)
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/check-pinned-actions.yml
 create mode 100644 .pinact.yaml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..c294609
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+---
+version: 2
+updates:
+- package-ecosystem: github-actions
+  directory: "/"
+  schedule:
+    interval: daily
+  rebase-strategy: disabled
+  open-pull-requests-limit: 10
+  cooldown:
+    default-days: 7
diff --git a/.github/workflows/check-pinned-actions.yml b/.github/workflows/check-pinned-actions.yml
new file mode 100644
index 0000000..5a35d27
--- /dev/null
+++ b/.github/workflows/check-pinned-actions.yml
@@ -0,0 +1,11 @@
+name: Check actions have their versions pinned
+
+on:
+  push:
+    paths:
+      - '.github/workflows/*.yml'
+      - '.github/workflows/*.yaml'
+
+jobs:
+  pinact:
+    uses: fac/shared-workflows/.github/workflows/check_pinned_actions.yml@main
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index 1a0bff3..05b7412 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -13,10 +13,10 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # v3
+      - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # v3.3.1
         with:
           go-version: 1.19
-      - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3
+      - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
       - name: Lint
         uses: golangci/golangci-lint-action@08e2f20817b15149a52b5b3ebe7de50aff2ba8c5 # v3.4.0
         with:
@@ -26,10 +26,10 @@ jobs:
   lint-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # v3
+      - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # v3.3.1
         with:
           go-version: 1.19
-      - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3
+      - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
       - name: Lint
         uses: golangci/golangci-lint-action@08e2f20817b15149a52b5b3ebe7de50aff2ba8c5 # v3.4.0
         with:
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 12e6cf9..4813c03 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -15,10 +15,10 @@ jobs:
     env:
       TEST_DIR: github_ratelimit/github_ratelimit_test
     steps:
-      - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # v3
+      - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # v3.3.1
         with:
           go-version: 1.19
-      - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3
+      - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
       - name: Verify dependencies
         run: go mod verify
       - name: Build
diff --git a/.pinact.yaml b/.pinact.yaml
new file mode 100644
index 0000000..b5b2a7f
--- /dev/null
+++ b/.pinact.yaml
@@ -0,0 +1,5 @@
+---
+version: 3
+ignore_actions:
+- name: fac/.*
+  ref: "^(main|master)$"