feat: pin GitHub Actions to SHA digests and add pin-check workflow

Author: rebEllieous

.github/workflows/conventional-commits.yml

@@ -13,7 +13,7 @@ jobs:
     name: PR Title
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@v5
+      - uses: amannn/action-semantic-pull-request@e32d7e603df1aa1ba07e981f2a23455dee596825 # v5
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -33,9 +33,9 @@ jobs:
     name: Commit Messages
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
-      - uses: wagoid/commitlint-github-action@v6
+      - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6
         with:
           configFile: .commitlintrc.yml

.github/workflows/issues-add-to-project.yml

@@ -13,7 +13,7 @@ jobs:
     name: Add issue to project
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/add-to-project@v1.0.2
+      - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
         with:
           project-url: https://github.com/orgs/opendefensecloud/projects/3
           github-token: ${{ secrets.ADD_TO_PROJECT_PAT }}

.github/workflows/release-drafter.yaml

@@ -33,7 +33,7 @@ jobs:
       #    echo "GHE_HOST=${GITHUB_SERVER_URL##https:\/\/}" >> $GITHUB_ENV
 
       # Drafts your next Release notes as Pull Requests are merged into "master"
-      - uses: release-drafter/release-drafter@v7
+      - uses: release-drafter/release-drafter@c2e2804cc59f45f57076a99af580d0fedb697927 # v7
         # (Optional) specify config name to use, relative to .github/. Default: release-drafter.yml
         # with:
         #   config-name: my-config.yml

.github/workflows/update-action-pins.yml

@@ -0,0 +1,25 @@
+name: Update Action Pins
+
+on:
+  pull_request:
+    paths:
+      - ".github/workflows/**"
+
+jobs:
+  check-pins:
+    name: Check action pins
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - name: Verify all actions are pinned to a SHA
+        run: |
+          unpinned=$(grep -rE '^\s+(- )?uses: ' .github/workflows/ \
+            | grep -vE '^\s+(- )?uses: \.\/' \
+            | grep -vE '@[0-9a-f]{40}($|\s)')
+          if [[ -n "$unpinned" ]]; then
+            echo "::error::Found unpinned GitHub Actions (must use SHA digest, not tag):"
+            echo "$unpinned"
+            echo ""
+            echo "Run 'GITHUB_TOKEN=\$(gh auth token) update-action-pins .github/workflows/' to fix."
+            exit 1
+          fi

common.mk

@@ -99,7 +99,8 @@ REPO_RULESET := { \
 
 .PHONY: repo-settings
 repo-settings: ## Reconcile GitHub repository settings (labels, merge strategy, branch protection, security)
-	@REPO=$$($(GH) repo view --json nameWithOwner -q .nameWithOwner) || { echo "error: not a GitHub repository or gh not authenticated"; exit 1; }; \
+	@$(GH) auth status >/dev/null 2>&1 || { echo "error: gh is not authenticated; run 'gh auth login'"; exit 1; }; \
+	REPO=$$($(GH) repo view --json nameWithOwner -q .nameWithOwner) || { echo "error: not a GitHub repository"; exit 1; }; \
 	echo "Reconciling settings for $$REPO..."; \
 	\
 	echo "  Syncing labels..."; \
@@ -130,8 +131,44 @@ repo-settings: ## Reconcile GitHub repository settings (labels, merge strategy,
 		echo "    Created new ruleset"; \
 	fi; \
 	\
+	echo "  Installing update-action-pins workflow..."; \
+	mkdir -p .github/workflows; \
+	printf '%s\n' \
+		'name: Update Action Pins' \
+		'' \
+		'on:' \
+		'  pull_request:' \
+		'    paths:' \
+		'      - ".github/workflows/**"' \
+		'' \
+		'jobs:' \
+		'  check-pins:' \
+		'    name: Check action pins' \
+		'    runs-on: ubuntu-latest' \
+		'    steps:' \
+		'      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4' \
+		'      - name: Verify all actions are pinned to a SHA' \
+		'        run: |' \
+		'          unpinned=$$(grep -rE ''^\s+(- )?uses: '' .github/workflows/ \' \
+		'            | grep -vE ''^\s+(- )?uses: \.\/'' \' \
+		'            | grep -vE ''@[0-9a-f]{40}($$|\s)'')' \
+		'          if [[ -n "$$unpinned" ]]; then' \
+		'            echo "::error::Found unpinned GitHub Actions (must use SHA digest, not tag):"' \
+		'            echo "$$unpinned"' \
+		'            echo ""' \
+		'            echo "Run '"'"'GITHUB_TOKEN=$$(gh auth token) update-action-pins .github/workflows/'"'"' to fix."' \
+		'            exit 1' \
+		'          fi' \
+		> .github/workflows/update-action-pins.yml; \
+	echo "    Wrote .github/workflows/update-action-pins.yml"; \
+	\
 	echo "Done."
 
+.PHONY: update-action-pins
+update-action-pins: ## Update GitHub Action pins to their latest commit SHA
+	@$(GH) auth status >/dev/null 2>&1 || { echo "error: gh is not authenticated; run 'gh auth login'"; exit 1; }; \
+	GITHUB_TOKEN=$(gh auth token) update-action-pins .github/workflows/
+
 ##@ General
 
 # The help target prints out all targets with their descriptions organized

example/renovate.json

@@ -3,6 +3,7 @@
   "extends": [
     "config:recommended"
   ],
+  "pinDigests": true,
   "customManagers": [
     {
       "customType": "regex",