From 5ce23f5796b53ca5aba8228a4040ab2d95a14f76 Mon Sep 17 00:00:00 2001
From: Duncan Smith <duncan.smith@freeagent.com>
Date: Wed, 27 May 2026 15:38:58 +0100
Subject: [PATCH] Pin GitHub Actions to specific SHAs

---
 .github/dependabot.yml                     | 12 ++++++++++++
 .github/workflows/check-pinned-actions.yml | 11 +++++++++++
 .github/workflows/linter.yml               |  4 ++--
 .github/workflows/tests.yml                |  6 +++---
 .pinact.yaml                               |  4 ++++
 5 files changed, 32 insertions(+), 5 deletions(-)
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/check-pinned-actions.yml
 create mode 100644 .pinact.yaml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000..611a0974
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: daily
+    rebase-strategy: disabled
+    open-pull-requests-limit: 10
+    cooldown:
+      default-days: 7
+      exclude:
+        - fac/*
diff --git a/.github/workflows/check-pinned-actions.yml b/.github/workflows/check-pinned-actions.yml
new file mode 100644
index 00000000..5a35d275
--- /dev/null
+++ b/.github/workflows/check-pinned-actions.yml
@@ -0,0 +1,11 @@
+name: Check actions have their versions pinned
+
+on:
+  push:
+    paths:
+      - '.github/workflows/*.yml'
+      - '.github/workflows/*.yaml'
+
+jobs:
+  pinact:
+    uses: fac/shared-workflows/.github/workflows/check_pinned_actions.yml@main
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
index 4f7646f3..d528def0 100644
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@@ -11,10 +11,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Setup Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
         with:
           ruby-version: ${{ matrix.ruby }}
           bundler-cache: true
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index d3141659..f0f4ce23 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -18,10 +18,10 @@ jobs:
       FERRUM_DEFAULT_TIMEOUT: 15
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Setup Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
         with:
           ruby-version: ${{ matrix.ruby }}
           bundler-cache: true
@@ -37,7 +37,7 @@ jobs:
           bundle exec rake
 
       - name: Archive artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: ${{ failure() }}
         with:
           name: artifacts-ruby-v${{ matrix.ruby }}
diff --git a/.pinact.yaml b/.pinact.yaml
new file mode 100644
index 00000000..6c1a9d39
--- /dev/null
+++ b/.pinact.yaml
@@ -0,0 +1,4 @@
+version: 3
+ignore_actions:
+  - name: fac/.*
+    ref: ^main$