From ab3409f32c7fa8f3ba3c4196067dda1824b2c1f3 Mon Sep 17 00:00:00 2001
From: Frank Niessink <frank@niessink.com>
Date: Wed, 27 May 2026 15:11:13 +0200
Subject: [PATCH] Require GitHub Actions to be pinned to hashes

If a repository uses Github Actions, the versions of the actions are pinned to specific commits (rather than tags or branches, which are mutable). This is enforced for ICTU repositories by the GitHub general actions permission "Require actions to be pinned to a full-length commit SHA".
---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 85fd117..bb2f21c 100644
--- a/README.md
+++ b/README.md
@@ -24,6 +24,7 @@ ICTU projects, departments, and employees using GitHub should follow the guideli
 - Repositories have [Code scanning alerts](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning) turned on.
 - Repositories have [Secret scanning alerts](https://docs.github.com/en/code-security/secret-scanning) turned on.
 - Repositories have [Private vulnerability reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability) turned on.
+- If a repository uses Github Actions, the [versions of the actions are pinned to specific commits](https://nldesignsystem.nl/handboek/developer/github-actions/) (rather than tags or branches, which are mutable). This is enforced for ICTU repositories by the GitHub general actions permission "Require actions to be pinned to a full-length commit SHA".
 
 ## Optional guidelines