diff --git a/.github/artifact-retention.yml b/.github/artifact-retention.yml
index da08e9b0..51b7afb4 100644
--- a/.github/artifact-retention.yml
+++ b/.github/artifact-retention.yml
@@ -44,13 +44,6 @@ artifact_types:
     retention_days: 365  # One year for audit and compliance requirements
     description: "Software Bill of Materials reports generated by anchore/sbom-action and actions/attest-sbom"
     compression_level: 9  # Maximum compression for storage efficiency
-    actions:
-      - name: "anchore/sbom-action"
-        version: "v0.22.2"
-        sha: "28d71544de8eaf1b958d335707167c5f783590ad"
-      - name: "actions/attest-sbom"
-        version: "v2.4.0"
-        sha: "bd218ad0dbcb3e146bd073d1d9c6d78e08aa8a0b"
 
   # Compliance and audit artifacts
   compliance:
@@ -107,6 +100,45 @@ github_actions:
     test_results: 6          # Balanced compression/speed
     logs: 3                  # Minimal compression for quick access
 
+# Action-to-artifact mappings
+# Maps GitHub Actions to the artifact types they produce, with SHA-pinned references
+# for traceability and supply chain security validation.
+action_mappings:
+  security_reports:
+    - name: "github/codeql-action/analyze"
+      version: "v3.27.0"
+      sha: "ce729e4d353d580e6cacd6a8cf2921b72e5e310a"
+    - name: "github/codeql-action/upload-sarif"
+      version: "v3.27.0"
+      sha: "ce729e4d353d580e6cacd6a8cf2921b72e5e310a"
+    - name: "ossf/scorecard-action"
+      version: "v2.4.3"
+      sha: "4eaacf0543bb3f2c246792bd56e8cdeffafb205a"
+    - name: "actions/dependency-review-action"
+      version: "v4.3.4"
+      sha: "3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261"
+
+  build_artifacts:
+    - name: "actions/upload-artifact"
+      version: "v4.4.3"
+      sha: "b7c566a772e6b6bfb58ed0dc250532a479d7789f"
+    - name: "actions/attest-build-provenance"
+      version: "v3.2.0"
+      sha: "96278af6caaf10aea03fd8d33a09a777ca52d62f"
+
+  test_results:
+    - name: "codecov/codecov-action"
+      version: "v5.5.2"
+      sha: "671740ac38dd9b0130fbe1cec585b89eea48d3de"
+
+  sbom_reports:
+    - name: "anchore/sbom-action"
+      version: "v0.22.2"
+      sha: "28d71544de8eaf1b958d335707167c5f783590ad"
+    - name: "actions/attest-sbom"
+      version: "v2.4.0"
+      sha: "bd218ad0dbcb3e146bd073d1d9c6d78e08aa8a0b"
+
 # Storage optimization recommendations
 optimization:
   compression: