# Pin images used in github actions to a hash instead of a version tag.
name: pin-github-actions
on:
  pull_request:
    branches:
      - main
    paths:
      - ".github/workflows/**"

  workflow_dispatch:

permissions:
  contents: read
  pull-requests: read

concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true

jobs:
  run:
    name: pin-github-actions
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: pin
        run: make pin-github-actions
      - name: check for changed workflow files
        run: git diff --no-ext-diff --exit-code .github/workflows || (echo "Some github actions versions need pinning, run make pin-github-actions."; exit 1)