Pin GitHub Actions to SHA digests (zizmor unpinned-uses)

## Pin GitHub Actions to SHA digests

Zizmor detected **3** `unpinned-uses` findings in `.github/workflows/`.

GitHub Actions referenced by tag (e.g. `actions/checkout@v4`) are vulnerable to tag mutation — a compromised or hijacked tag can introduce malicious code into CI runs. Pinning to a full commit SHA (e.g. `actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4`) eliminates this supply-chain risk.

### Fix

Run [`pin-github-action`](https://github.com/mheap/pin-github-action) to update all workflow files automatically:

```bash
npx pin-github-action .github/workflows/*.yml
```

### Recommendations

- **Dependabot**: Add a `.github/dependabot.yml` with a `github-actions` entry so pinned SHAs are updated automatically when new Action versions are released.
- **zizmor-action**: Add [zizmor-action](https://github.com/zizmorcore/zizmor-action?tab=readme-ov-file#usage-with-github-advanced-security-recommended) for continuous workflow security scanning in CI.

### References

- [zizmor unpinned-uses audit](https://docs.zizmor.sh/audits/#unpinned-uses)
- [pin-github-action](https://github.com/mheap/pin-github-action)

---
_Opened by [ds-security-scanning](https://github.com/developmentseed/ds-security-scanning) zizmor-cli-unpinned-uses_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Pin GitHub Actions to SHA digests (zizmor unpinned-uses) #224

Pin GitHub Actions to SHA digests

Fix

Recommendations

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Pin GitHub Actions to SHA digests (zizmor unpinned-uses) #224

Description

Pin GitHub Actions to SHA digests

Fix

Recommendations

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions