name: Check actions
permissions: {}

on:
  pull_request:
    branches:
      - "*"

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  check:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Ensure SHA pinned actions
        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@d5d20e15f2736816ee0e001ba8b24b54d9ffcff4 # v5.0.0
        with:
          # slsa-github-generator requires using a semver tag for reusable workflows.
          # See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
          allowlist: |
            slsa-framework/slsa-github-generator