Add opt-in github_actions_pin_to_sha option for GitHub Actions

[IanButterworth]

Pinning GitHub Actions to SHA is fast becoming more than just best practice, so have Dependabot help.

Closes #7913

Developed with Claude:

---

What are you trying to accomplish?

Add an opt-in github_actions_pin_to_sha option that tells Dependabot to prefer full commit SHAs over version tags when updating GitHub Actions references. This aligns with GitHub's own security hardening guidance which recommends pinning actions to a full length commit SHA.

When the option is enabled:

• actions/checkout@v2.1.0 becomes actions/checkout@aabbfeb2ce60b5bd82389903509092c4648a9713 # v2.2.0
• Already SHA-pinned actions continue to update as SHAs (existing behavior)
• Security fix updates also return SHAs instead of tags

The option is read from the existing options (experiments) mechanism in dependabot-core. Enabling it for end users will require the Dependabot service to surface it in the dependabot.yml configuration.

Anything you want to highlight for special attention from reviewers?

UpdateChecker (update_checker.rb): updated_ref now checks pin_to_sha? and returns new_tag.fetch(:commit_sha) instead of new_tag.fetch(:tag) when the option is set. This applies to both normal version updates and security fix updates.

FileUpdater (file_updater.rb): New new_version_comment method generates a # vX.Y.Z comment when transitioning from a version tag ref to a SHA ref. This only fires when the old ref is a valid version and the new ref is a commit SHA — it won't add comments in other scenarios.

The existing updated_version_comment path (SHA→SHA with existing comment) is unchanged.

How will you know you've accomplished your goal?

• New tests in update_checker_spec.rb verify that tag references, full version tags, already-pinned SHAs, and vulnerable tag references all return commit SHAs when the option is enabled.
• New tests in file_updater_spec.rb verify that tag→SHA transitions add version comments for bare, double-quoted, and single-quoted declarations, and don't produce duplicate comments.

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[Copilot]

Pull request overview

Adds an opt-in github_actions_pin_to_sha option to the GitHub Actions ecosystem so Dependabot can prefer updating uses: refs to full commit SHAs (including for security fixes), and adds workflow-file comments indicating the corresponding version when transitioning from tag → SHA.

Changes:

• UpdateChecker: when the option is enabled, choose commit_sha instead of the tag for version/security-fix updates.
• FileUpdater: when converting a version tag ref to a SHA ref, append a # vX.Y.Z comment (when safe to do so).
• Specs/fixtures: add coverage and a new workflow fixture for tag → SHA transitions.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
github_actions/lib/dependabot/github_actions/update_checker.rb	Adds pin_to_sha? and switches updated refs to SHA when enabled.
github_actions/lib/dependabot/github_actions/file_updater.rb	Appends a version comment when transitioning from tag → SHA.
github_actions/spec/dependabot/github_actions/update_checker_spec.rb	Adds tests ensuring refs become SHAs under the new option (including security fixes).
github_actions/spec/dependabot/github_actions/file_updater_spec.rb	Adds tests for tag → SHA replacement and comment behavior (including quoted declarations).
github_actions/spec/fixtures/workflow_files/pin_to_sha.yml	New fixture workflow used by FileUpdater specs.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

[IanButterworth]

This doesn't currently update @v1 type tags when a release like v1.1 or v1.0.1 comes out.. I think it should.

Update: Now it does.

[trinitronx]

👍

This has been made even more important since the recent Trivy GitHub Actions security incidents¹² where part of the GitHub Actions attack involved tags being overridden by a malicious actor.

Pinning the GitHub actions to a SHA would have helped prevent downstream repo credential exfiltration vectors. Immutable Releases + SHA pinning is the recommended remediation approach going forward. Therefore, dependabot should adopt SHA pinning as a supported method.

Footnotes

1. 2026-02-27, 2026-03-01: Trivy CI/CD attacked. Feb 27th PR to Trivy CI/CD using pull_request_target exposed secrets. Mar 1st "hackerbot-claw" PR attacked Trivy's CI/CD again, later deleting all published release tags ↩

2. 2026-03-19: Trivy attacked again. v0.69.4 malicious release tag published, trivy-action and setup-trivy GitHub Actions release tags were also compromised, and --force pushed to point to the malware. ↩

[na-jakobs]

Thank you @IanButterworth <3