stefafafan/pin-github-actions
skills/pin-github-actions/SKILL.md
Create or update GitHub Actions workflow files with remote `uses:` entries pinned to full commit SHAs annotated with the resolved release tag. Use whenever creating or updating a workflow file which contains `uses:` entries.
data-ai
Updated Jun 13, 2026
$ install --global
skillsauthnpx skillsauth add stefafafan/skills pin-github-actionsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 13, 2026, 5:21 AM61.3s1 file scanned
SKILL.md
- name:
- pin-github-actions
- description:
- Create or update GitHub Actions workflow files with remote `uses:` entries pinned to full commit SHAs annotated with the resolved release tag. Use whenever creating or updating a workflow file which contains `uses:` entries.
Pin GitHub Actions
1. Identify Actions to Pin
- For the GitHub Actions Workflow file in subject, scan uses of
uses:entries that reference actions (e.g.actions/checkout@v6). - For each remote
uses: owner/repo@ref, determine if it is already pinned to a full commit SHA. If not, it should be pinned.
2. Edit the Workflow Files
- For newly created snippets of workflow files, ensure all
uses:entries are pinned from the start, with the latest stable release. Usegit ls-remote --tags --sort="v:refname" <REPO_URL> | tail -n 1to find the latest release tag and corresponding commit SHA. - For existing pieces of code, do not update the version unless explicitly instructed. Pin the existing
uses:entries without changing the version. - To pin the action, replace remote refs with the full commit SHA and keep the resolved version as an inline comment (example):
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- Keep the version comment in the form
# vX.Y.Zor# <tag>, preserve YAML structure and step ordering, and avoid unrelated churn.
3. Final Checks
- Ensure every remote GitHub
uses:entry points to a 40-character commit SHA. - Ensure every pinned remote reference has a matching inline version comment.
Trigger Examples
- Create
.github/workflows/ci.ymlfor this repo. - Update
.github/workflows/release.ymlso actions are up to date. - Update all actions used in
.github/workflows/.
Related Skills
stefafafan/specify-cooldown-for-renovate-or-dependabot
testing
VerifiedTrustedCommunity
Add a one-week cooldown to Dependabot or Renovate dependency update configuration. Use when a repository needs Dependabot `cooldown.default-days: 7`, Renovate `minimumReleaseAge: "7 days"`, or migration from Renovate `stabilityDays` to `minimumReleaseAge`.
SKILL.mdUpdated Jun 13, 2026
stefafafan/pnpm-action-setup-cache
testing
VerifiedTrustedCommunity
Update GitHub Actions workflows to use pnpm/action-setup cache support introduced in v4.3.0. Use when creating or editing workflow YAML files that install pnpm, especially when they use actions/setup-node cache: pnpm or actions/cache entries for pnpm store paths.
SKILL.mdUpdated Jun 13, 2026
stefafafan/go-runtime-updater
tools
VerifiedTrustedCommunity
Pick the correct Go version for `go` and `toolchain` directives. Use when an agent needs to bump the Go version, update a go or toolchain directive, or align Go versions in go.mod, go.work, CI, containers, version manager files, or docs.
SKILL.mdUpdated Jun 13, 2026
stefafafan/commit-message-writer
documentation
VerifiedTrustedCommunity
Draft conventional commit messages that explain why a change exists instead of listing what changed. Use when trying to write a git commit message.
SKILL.mdUpdated Apr 23, 2026