From b349bf4e6621987c590e338a01c8491875361c80 Mon Sep 17 00:00:00 2001
From: Duncan Smith <duncan.smith@freeagent.com>
Date: Wed, 27 May 2026 15:41:04 +0100
Subject: [PATCH] Pin GitHub Actions to specific SHAs

---
 .github/dependabot.yml                     | 12 ++++++++++++
 .github/workflows/check-pinned-actions.yml | 11 +++++++++++
 .github/workflows/release.yml              |  6 +++---
 .pinact.yaml                               |  4 ++++
 4 files changed, 30 insertions(+), 3 deletions(-)
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/check-pinned-actions.yml
 create mode 100644 .pinact.yaml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 000000000..611a09747
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: daily
+    rebase-strategy: disabled
+    open-pull-requests-limit: 10
+    cooldown:
+      default-days: 7
+      exclude:
+        - fac/*
diff --git a/.github/workflows/check-pinned-actions.yml b/.github/workflows/check-pinned-actions.yml
new file mode 100644
index 000000000..5a35d2750
--- /dev/null
+++ b/.github/workflows/check-pinned-actions.yml
@@ -0,0 +1,11 @@
+name: Check actions have their versions pinned
+
+on:
+  push:
+    paths:
+      - '.github/workflows/*.yml'
+      - '.github/workflows/*.yaml'
+
+jobs:
+  pinact:
+    uses: fac/shared-workflows/.github/workflows/check_pinned_actions.yml@main
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 80e98fc07..ef7d33d27 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,13 +11,13 @@ jobs:
     name: Test action
 
     steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # v1.2.0
         name: Checkout code
 
       - name: Run tests
         run: npm run test
 
-      - uses: pCYSl5EDgo/cat@1.0.0
+      - uses: pCYSl5EDgo/cat@264f5b318158276af69bd0a2a9f1e613b2d03ebf # 1.0.0
         name: Cat for GitHub Actions
         id: get_key
         with:
@@ -47,7 +47,7 @@ jobs:
     name: Update action
 
     steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # v1.2.0
         name: Checkout code
 
       - name: Update v1 Tag
diff --git a/.pinact.yaml b/.pinact.yaml
new file mode 100644
index 000000000..6c1a9d39d
--- /dev/null
+++ b/.pinact.yaml
@@ -0,0 +1,4 @@
+version: 3
+ignore_actions:
+  - name: fac/.*
+    ref: ^main$