From d4cf5cd70cfd65c9421af0dadec8f6fca5b5b9b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Benjamin=20Cab=C3=A9?= <benjamin@zephyrproject.org>
Date: Fri, 21 Mar 2025 17:41:35 +0100
Subject: [PATCH] ci: github: Add workflow to ensure all GH actions are pinned
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This commit introduces a new workflow that checks for SHA-pinned GitHub
Actions on pull requests.

Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
---
 .github/workflows/pinned-gh-actions.yml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 .github/workflows/pinned-gh-actions.yml

diff --git a/.github/workflows/pinned-gh-actions.yml b/.github/workflows/pinned-gh-actions.yml
new file mode 100644
index 000000000000..3522c8b3bec0
--- /dev/null
+++ b/.github/workflows/pinned-gh-actions.yml
@@ -0,0 +1,19 @@
+name: Check SHA-pinned GitHub Actions
+
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/**'
+
+permissions:
+  contents: read
+
+jobs:
+  check-sha-pinned-actions:
+    name: Verify GitHub Actions
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Ensure SHA pinned actions
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@25ed13d0628a1601b4b44048e63cc4328ed03633 # v3.0.22