Missing documentation for github action hash-pinning in dependabot

[Andrej730]

Code of Conduct

• I have read and agree to the GitHub Docs project's Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories#github-actions

What part(s) of the article would you like to see updated?

Dependabot only supports updates to GitHub Actions using the GitHub repository syntax, such as actions/checkout@v5. Dependabot will ignore actions or reusable workflows referenced locally (for example, ./.github/actions/foo.yml).

Article seem to suggest that the only supported syntax is actions/checkout@v5 - pinning version by tag.

But dependabot also supports providing hash + version comment, see
https://github.blog/changelog/2022-10-31-dependabot-now-updates-comments-in-github-actions-workflows-referencing-action-versions/
dependabot/dependabot-core#5951

Dependabot also support updating from arbitrary hash not associated with the tag to the latest hash on the branch (and not to the latest release):

example

From 5651640dc72edabe1a0dc575019d2178acb1b10d Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 19 Nov 2025 10:05:31 +0000
Subject: [PATCH] Bump hendrikmuhs/ccache-action in the all-actions group

Bumps the all-actions group with 1 update: [hendrikmuhs/ccache-action](https://github.com/hendrikmuhs/ccache-action).


Updates `hendrikmuhs/ccache-action` from 15457da8f7bbf9b2c71f2efebd847c1a84650208 to 5ebbd400eff9e74630f759d94ddd7b6c26299639
- [Release notes](https://github.com/hendrikmuhs/ccache-action/releases)
- [Commits](https://github.com/hendrikmuhs/ccache-action/compare/15457da8f7bbf9b2c71f2efebd847c1a84650208...5ebbd400eff9e74630f759d94ddd7b6c26299639)

---
updated-dependencies:
- dependency-name: hendrikmuhs/ccache-action
  dependency-version: 5ebbd400eff9e74630f759d94ddd7b6c26299639
  dependency-type: direct:production
  dependency-group: all-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/build-heavy-compile.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-heavy-compile.yml b/.github/workflows/build-heavy-compile.yml
index dfba755..c77cd5b 100644
--- a/.github/workflows/build-heavy-compile.yml
+++ b/.github/workflows/build-heavy-compile.yml
@@ -9,7 +9,7 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: hendrikmuhs/ccache-action@15457da8f7bbf9b2c71f2efebd847c1a84650208
+      uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639
 
     - name: Configure build
       run: |

Documenting this will clearly state what is supported and how it works, removing confusion.

Additional information

No response

[welcome]

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

[yeikel]

@Andrej730 Checkout #41378 and let me know if you have any feedback 🥇

[Sharra-writes]

@Andrej730 Thanks for opening an issue! Since @yeikel already has a PR up, I'll just take that language straight to the Dependabot team and see how they feel about it.