Action not pinned to SHA
========================

.. list-table::
   :stub-columns: 1
   :widths: 20 80

   * - Rule ID
     - ``unpinned_actions``
   * - Category
     - reliability
   * - Severity
     - high

Action uses a mutable tag (@main, @v1, @latest) instead of a full commit SHA. Mutable tags can introduce breaking changes silently.

Detection
---------

``pattern_matching`` — Regex or keyword matching on string field values.

Examples
--------

**Non-compliant:**

.. code-block:: yaml

   jobs:
     build:
       steps:
         - uses: actions/checkout@v4
         - uses: actions/setup-node@main

**Compliant:**

.. code-block:: yaml

   jobs:
     build:
       steps:
         - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         - uses: actions/setup-node@1d0ff469b16e22e0c5b54c03367fd5f57e07ee0

**Fix**: Pin every action to a full 40-character commit SHA. Add a comment with the semantic version for readability. Use Dependabot to keep SHA pins current.