Consider pinning GitHub Actions versions to SHA hashes

Currently, GitHub actions are pinned via git tag e.g. `uses: PyO3/maturin-action@v1`

This presents a moderate security risk since git tags are not immutable. A malicious actor who gains control of the upstream repo can force-push onto the tag. For more information, [see here from the zizmor scanning tool docs](https://docs.zizmor.sh/audits/#unpinned-uses) and [here from GitHub](https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions). This is less of a concern for official GitHub repos like `actions/upload-artifact@v4` but more of a concern for less-popular actions like `extractions/setup-just@v3`

You can automatically migrate/maintain these with tools like <https://github.com/suzuki-shunsuke/pinact>

You can also require this at the project settings level

<img width="838" height="358" alt="Image" src="https://github.com/user-attachments/assets/739c6b2a-25a0-4915-ad3f-c57af0d1d905" />


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Consider pinning GitHub Actions versions to SHA hashes #279

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Consider pinning GitHub Actions versions to SHA hashes #279

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions