telemetryforge · patrick-stephens · Mar 19, 2026 · Mar 19, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,6 +1,10 @@
 version: 2
 updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
+  - package-ecosystem: github-actions
+    directory: /
+    groups:
+      github-actions:
+        patterns:
+          - "*"
     schedule:
-      interval: "daily"
+      interval: daily
diff --git a/.github/workflows/build-offline.yaml b/.github/workflows/build-offline.yaml
@@ -9,7 +9,7 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - run: scripts/generate-offline.sh
         shell: bash
@@ -20,7 +20,7 @@ jobs:
         run: ls -lR
         shell: bash
 
-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: agent-documentation
           path: "*.tgz"

diff --git a/.github/workflows/call-add-mapping-version.yaml b/.github/workflows/call-add-mapping-version.yaml
@@ -25,7 +25,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Authenticate with GCP
-        uses: google-github-actions/auth@v3
+        uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
         with:
           workload_identity_provider: "projects/841522437311/locations/global/workloadIdentityPools/github-actions/providers/github-actions"
           service_account: "terraform-infra@infrastructure-464010.iam.gserviceaccount.com"
@@ -34,13 +34,13 @@ jobs:
         name: Get secrets from GCP Secret Manager
         # This step retrieves secrets from GCP Secret Manager and sets them as outputs
         # The secrets can then be accessed in subsequent steps using ${{ steps.get-secrets.outputs.<secret_name> }}
-        uses: "google-github-actions/get-secretmanager-secrets@v3"
+        uses: "google-github-actions/get-secretmanager-secrets@bc9c54b29fdffb8a47776820a7d26e77b379d262" # v3.0.0
         with:
           secrets: |-
             github-pat:projects/626836145334/secrets/GITHUB_CI_PAT
 
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
             repository: telemetryforge/documentation
             token: ${{ steps.get-secrets.outputs.github-pat }}
@@ -78,7 +78,7 @@ jobs:
       - name: Create a PR with the update
         if: ${{ !inputs.dry-run }}
         id: cpr
-        uses: peter-evans/create-pull-request@v8
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
         with:
           commit-message: "ci: add mapping version for agent ${{ inputs.agent-version }}"
           signoff: true

diff --git a/.github/workflows/cron-run-scan.yaml b/.github/workflows/cron-run-scan.yaml
@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Authenticate with GCP
-        uses: google-github-actions/auth@v3
+        uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
         with:
           workload_identity_provider: "projects/841522437311/locations/global/workloadIdentityPools/github-actions/providers/github-actions"
           service_account: "terraform-infra@infrastructure-464010.iam.gserviceaccount.com"
@@ -29,18 +29,18 @@ jobs:
         name: Get secrets from GCP Secret Manager
         # This step retrieves secrets from GCP Secret Manager and sets them as outputs
         # The secrets can then be accessed in subsequent steps using ${{ steps.get-secrets.outputs.<secret_name> }}
-        uses: "google-github-actions/get-secretmanager-secrets@v3"
+        uses: "google-github-actions/get-secretmanager-secrets@bc9c54b29fdffb8a47776820a7d26e77b379d262" # v3.0.0
         with:
           secrets: |-
             github-pat:projects/626836145334/secrets/GITHUB_CI_PAT
 
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           token: ${{ steps.get-secrets.outputs.github-pat }}
 
       - name: Log into ghcr.io
-        uses: docker/login-action@v4
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -68,7 +68,7 @@ jobs:
       - name: Create a PR with the update
         if: ${{ !inputs.dry-run }}
         id: cpr
-        uses: peter-evans/create-pull-request@v8
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
         with:
           commit-message: "ci: update cve scan results"
           signoff: true

diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -14,8 +14,8 @@ jobs:
     runs-on: ubuntu-latest
     name: PR - Shellcheck
     steps:
-      - uses: actions/checkout@v6
-      - uses: reviewdog/action-shellcheck@v1.32.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: reviewdog/action-shellcheck@4c07458293ac342d477251099501a718ae5ef86e # v1.32.0
         with:
           reporter: github-pr-review
           fail_level: error
@@ -30,7 +30,7 @@ jobs:
     runs-on: ubuntu-latest
     name: PR - Actionlint
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - run: |
           echo "::add-matcher::.github/actionlint-matcher.json"
           bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
@@ -41,7 +41,21 @@ jobs:
     runs-on: ubuntu-latest
     name: PR - Check Orphaned Documentation
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Check for orphaned markdown files
         run: bash ./scripts/check-orphaned-docs.sh
         shell: bash
+
+  actions-pin-sha:
+    runs-on: ubuntu-latest
+    name: PR - Actions Pin SHA
+    permissions:
+      contents: read
+      # For ReviewDog to post comments to the PR
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: suzuki-shunsuke/pinact-action@1081f5ad49ac904b7d977784f338145150a32112  # v1.4.0
+        with:
+          skip_push: "true"
+          review: "true"
diff --git a/.pinact.yaml b/.pinact.yaml
@@ -0,0 +1,16 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/suzuki-shunsuke/pinact/refs/heads/main/json-schema/pinact.json
+# pinact - https://github.com/suzuki-shunsuke/pinact
+version: 3
+# files:
+#   - pattern: action.yaml
+#   - pattern: */action.yaml
+
+# separator: "  # "
+
+ignore_actions:
+# - name: slsa-framework/slsa-github-generator/\.github/workflows/generator_generic_slsa3\.yml
+#   ref: v\d+\.\d+\.\d+
+# - name: actions/.*
+#   ref: main
+# - name: suzuki-shunsuke/.*
+#   ref: release-.*