chore: SHA-pin GitHub Actions for supply chain security

hyperpolymath · claude · hyperpolymath · commit d370e88abd16 · 2026-03-16T14:43:51.000Z
Pin all GitHub Actions to specific commit SHAs instead of mutable tags
to prevent supply chain attacks. Tags preserved as comments.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml
@@ -15,7 +15,7 @@ jobs:
           find . -type f -perm /111 -name "*.sh" | head -10 || true
       
       - name: Check for secrets
-        uses: trufflesecurity/trufflehog@main
+        uses: trufflesecurity/trufflehog@7ee2e0fdffec27d19ccbb8fb3dcf8a83b9d7f9e8 # main
         with:
           path: ./
           base: ${{ github.event.pull_request.base.sha || github.event.before }}
@@ -32,7 +32,7 @@ jobs:
           find . -type f -size +1M -not -path "./.git/*" | head -10 || echo "No large files"
       
       - name: EditorConfig check
-        uses: editorconfig-checker/action-editorconfig-checker@main
+        uses: editorconfig-checker/action-editorconfig-checker@4054fa83a075fdf090bd098bdb1c09aaf64a4169 # main
         continue-on-error: true
 
   docs:
