chore: pin commit SHAs in usage examples, remove floating tag alias workflow (#9)

* chore: pin commit sha in usage examples

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

* chore: add guidance for securely pinning actions with config examples

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

* chore(ci): update release workflow to correlate git tags with commit SHAs

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

* chore(ci): remove support for floating tag aliases

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

---------

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

Author: lelia

.github/workflows/aliases.yml

@@ -18,19 +18,19 @@ jobs:
       # setup github auth with bot
       - name: github auth
         id: bot
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
         with:
           app-id: ${{ secrets.GH_BOT_APP_ID }}
           private-key: ${{ secrets.GH_BOT_APP_PEM_FILE }}
 
       - name: checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           persist-credentials: false
 
       - name: setup node
-        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           node-version-file: package.json
           cache: npm

.github/workflows/release.yml

@@ -13,10 +13,16 @@ This action can run in multiple modes:
 - [Socket Firewall: Enterprise](#socket-firewall-enterprise)
 - Socket CLI: _Coming soon_
 
+### Why We Recommend Pinning
+
+Socket is a security control, so the action that installs it should be pinned, too. We recommend pinning to an immutable commit SHA for the strongest supply-chain protection. If your organization prefers easier readability, pin to an immutable version tag instead. Either way, Dependabot can keep the reference current while preserving a human review gate.
+
 ### Socket Firewall: Free
 
 Downloads and installs [Socket Firewall: Free](https://github.com/SocketDev/sfw-free) edition in your GitHub Action job, making it available to use in subsequent steps.
 
+#### Most secure: pin to a commit SHA
+
 ```yaml
 on: push
 
@@ -25,9 +31,9 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: SocketDev/action@v1
+      - uses: SocketDev/action@2d3f25590c6ed6ba11a9a14c064d962a3a04698f # v1.3.1
         with:
           mode: firewall-free
 
@@ -41,6 +47,49 @@ jobs:
       - run: sfw pip install -r requirements.txt
 ```
 
+#### Slightly less secure: pin to an immutable version tag
+
+```yaml
+on: push
+
+jobs:
+  safe-install:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - uses: SocketDev/action@v1.3.1
+        with:
+          mode: firewall-free
+
+      # javascript / typescript
+      - run: sfw npm install # or yarn, pnpm
+
+      # rust
+      - run: sfw cargo fetch
+
+      # python
+      - run: sfw pip install -r requirements.txt
+```
+
+#### Dependabot config
+
+```yaml
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    cooldown:
+      semver-major-days: 14
+      semver-minor-days: 7
+      semver-patch-days: 3
+```
+
+Add a cooldown period if you want an extra buffer before newly published action releases are proposed. That gives the ecosystem a little time to surface regressions before Dependabot opens an update PR in your repo.
+
 #### Inputs
 
 | Input              | Description                                                      | Required | Default              |
@@ -61,6 +110,35 @@ jobs:
 
 Downloads and installs [Socket Firewall: Enterprise](https://github.com/SocketDev/firewall-release) edition in your GitHub Action job, making it available to use in subsequent steps as a wrapper.
 
+#### Most secure: pin to a commit SHA
+
+```yaml
+on: push
+
+jobs:
+  safe-install:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - uses: SocketDev/action@2d3f25590c6ed6ba11a9a14c064d962a3a04698f # v1.3.1
+        with:
+          mode: firewall-enterprise
+          socket-token: ${{ secrets.SOCKET_API_KEY }}
+
+      # javascript / typescript
+      - run: sfw npm install # or yarn, pnpm
+
+      # rust
+      - run: sfw cargo fetch
+
+      # python
+      - run: sfw pip install -r requirements.txt
+```
+
+#### Slightly less secure: pin to an immutable version tag
+
 ```yaml
 on: push
 
@@ -69,9 +147,9 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: SocketDev/action@v1
+      - uses: SocketDev/action@v1.3.1
         with:
           mode: firewall-enterprise
           socket-token: ${{ secrets.SOCKET_API_KEY }}
@@ -86,6 +164,23 @@ jobs:
       - run: sfw pip install -r requirements.txt
 ```
 
+#### Dependabot config
+
+```yaml
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    cooldown:
+      semver-major-days: 14
+      semver-minor-days: 7
+      semver-patch-days: 3
+```
+
+Add a cooldown period if you want an extra buffer before newly published action releases are proposed. That gives the ecosystem a little time to surface regressions before Dependabot opens an update PR in your repo.
+
 #### Inputs
 
 | Input              | Description                                                      | Required | Default              |