Action not pinned to SHA

Rule ID	unpinned_actions
Category	reliability
Severity	high

Action uses a mutable tag (@main, @v1, @latest) instead of a full commit SHA. Mutable tags can introduce breaking changes silently.

Detection

pattern_matching — Regex or keyword matching on string field values.

Examples

Non-compliant:

jobs:
  build:
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@main

Compliant:

jobs:
  build:
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
      - uses: actions/setup-node@1d0ff469b16e22e0c5b54c03367fd5f57e07ee0

Fix: Pin every action to a full 40-character commit SHA. Add a comment with the semantic version for readability. Use Dependabot to keep SHA pins current.