From f151909a1b0da239991aaca29e79f16a0c155990 Mon Sep 17 00:00:00 2001
From: Tom Cammann <cammann.tom@gmail.com>
Date: Mon, 18 Aug 2025 10:42:24 +0100
Subject: [PATCH] Pin actions/cache to SHA

Pin the action/cache action in action.yml to a specific SHA, this change will allow usage of the pre-commit action when enforcement of SHA pinning on actions is set[1]. SHA pinning helps prevent supply chain attacks as versions/releases of actions are not immutable and can be updated at any time. Pinning to a SHA makes the release immutable from the consumer perspective.

SHA pinning enforcement applies to downstream dependencies, i.e. if I include pre-commit/action in my workflows I cannot use SHA pinning because actions/cache is currently unpinned.

[1] https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/#enforce-sha-pinning
---
 action.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/action.yml b/action.yml
index 18ded0d..d332661 100644
--- a/action.yml
+++ b/action.yml
@@ -12,7 +12,7 @@ runs:
     shell: bash
   - run: python -m pip freeze --local
     shell: bash
-  - uses: actions/cache@v4
+  - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
     with:
       path: ~/.cache/pre-commit
       key: pre-commit-3|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }}