Security: Pin third-party GitHub Actions to commit SHAs

[valosnah]

Security: Pin third-party GitHub Actions to commit SHAs

Third-party GitHub Actions in this repository are referenced by mutable Git tags or branches (e.g. @v4, @master) instead of immutable commit SHAs. A tag/branch can be re-pointed by the action's maintainer at any time, so a compromised maintainer account or stolen token can silently swap in malicious code on the next workflow run. GitHub's official guidance is to pin actions to a full-length commit SHA.

This repository has 2 unpinned references across 1 workflow file(s).

Per-workflow occurrences

.github/workflows/deploy-los-to-staging.yml

• actions/checkout@v4
• Informasjonsforvaltning/upload-files-to-static-rdf-server-action@v3.2.0

Pin / replace recommendations

Current ref	Action	Pin to SHA (or replace with)
Informasjonsforvaltning/upload-files-to-static-rdf-server-action@v3.2.0	keep	Pin to 84beeeacd364f310ef6a253bc079354cdf62e5dd. Newest correctly-named tag for this internal action. (v.3.3.0 tag has a typo upstream.)
actions/checkout@v4	update	Recommended: update. v4 runs on Node 20, which is on the GitHub Actions deprecation track. Pin to de0fac2e4500dabe0009e67214ff5f5447ce83dd (actions/checkout@v6.0.2)

Example pinning diff

# before
- uses: actions/checkout@v4
# after (pinned, with original ref preserved as a comment)
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2

References

• GitHub: Security hardening for GitHub Actions — Using third-party actions
• OpenSSF Scorecard: Pinned-Dependencies check

---

Source scan: unpinned_actions_20260508_140526.md (org-wide audit, 611 unpinned refs across 47 repos).