Summary

All referenced and used GitHub Actions in this repository should be pinned to a specific version (commit SHA or tag) to enhance security and prevent unexpected changes or supply chain attacks. Additionally, if possible, configure Dependabot to help automatically pin and update dependencies, including action versions and package dependencies (if any).

This repository is an Actions provider (with its main entrypoint in action.yml), so ensure any actions (such as uses: steps) or tool dependencies referenced in action.yml—especially in the steps: field—are pinned just as strictly as in workflow YAMLs (e.g., .github/workflows/). The configuration for Dependabot should also consider both workflow usage and references within action.yml.

GitHub Actions best practices

• Pin third-party actions to a full commit SHA when possible; if using tags, prefer immutable tags and regularly update them.
• Limit permissions in workflows using the permissions key to the minimal set required (least privilege).
• Use the official GitHub Actions and verified creators when available; review action code before adopting.
• Avoid passing secrets or the full GITHUB_TOKEN to untrusted third-party actions; use inputs and secrets sparingly.
• Prefer reusable workflows and composite actions for shared logic and pin those references as well.
• Avoid running untrusted remote code (e.g., run: curl | bash) in workflows or within action.yml.
• Use Dependabot for changelog and security updates, and consider scheduling periodic reviews of action pins.
• Use workflow or environment protection rules (branch protection, required reviewers) for sensitive workflows.

Tasks

• Audit all GitHub workflow files (under .github/workflows/) for usages of GitHub Actions.
• Audit the root-level action.yml (Marketplace entrypoint) for any uses: or tool version references.
• Pin each action usage to a specific version (preferably a commit SHA for best security) in both workflow files and in the action.yml.
• Ensure there are no @main, @latest, or other floating tags in action or tool references, including in the composite action steps within action.yml.
• Investigate and, if possible, configure Dependabot:
  • Enable for GitHub Actions versions in both workflows and the top-level composite action.
  • Enable for package dependencies if present (e.g., package.json, requirements.txt).
• Document the pinning standard and GitHub Actions best practices in the repository documentation (e.g., in a CONTRIBUTING.md or repository README).

Acceptance Criteria

• All GitHub Actions are pinned to static versions in workflows and within composite action definitions (action.yml).
• Dependabot is enabled/configured for actions and dependencies.
• All workflows and composite actions follow GitHub Action best practices (as per the official documentation).
• Team is notified of completed migration and pinning standard.