[Good First Issue]: create docs/sdk_developers/how-to-pin-github-actions.md

[exploreriii]

🆕🐥 First Timers Only

This issue is reserved for people who have never contributed or have made minimal contributions to Hiero Python SDK.
We know that creating a pull request (PR) is a major barrier for new contributors.
The goal of this issue and all other issues in find a good first issue is to help you make your first contribution to the Hiero Python SDK.

👾 Description of the issue

Sometimes we need to create github workflows which use github actions.

For example:
.github/workflows/bot-issue-reminder-no-pr.yml
this uses

      - name: Checkout repository
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #6.0.1

💡 Proposed Solution

We can write a document explainign to new starters how to identify the right commit hash and the syntax.

👩‍💻 Implementation Steps

create docs/sdk_developers/how-to-pin-github-actions.md

Explain:

• When using a github action
• you need to pin it to the specific commit hash
• you should add in a comment what version this is
• This is imporatnt

here are some rough guidelines to help you:

How to Pin GitHub Actions to the Correct Commit Hash
Why pin GitHub Actions?

GitHub Actions can be referenced in three ways:

uses: owner/action@v1          # ❌ floating tag
uses: owner/action@v4          # ⚠️ major version tag
uses: owner/action@<commit>    # ✅ pinned commit hash (recommended)


Pinning to a commit hash is the most secure and reliable option because:

Tags (v1, v4, latest) can move

A compromised release cannot silently change behavior

Security tools (e.g. StepSecurity) require pinned SHAs

This guide explains how to find the correct commit hash for the latest release of an action and how to handle outdated or deprecated actions.

Step-by-step: How to find the correct commit hash for an action
Step 1: Open the action’s GitHub repository

Start with the action’s repository. Examples:

step-security/harden-runner

actions/checkout

tcort/github-action-markdown-link-check

You can often find these by googling. Always prefer the official repository linked from the GitHub Marketplace and check it has positive ratings and many users.

Step 2: Go to the Releases page

In the repository, click:
Releases → Latest
e.g.
https://github.com/step-security/harden-runner/releases

on the left you should see something like
v2.14.0 (Latest)

Step 3: Open the release tag

Click the release (e.g. v2.14.0).

This opens a page like:
https://github.com/step-security/harden-runner/releases/tag/v2.14.0

Step 4: Copy the full commit SHA

Once you are on the commit page, copy the full 40-character SHA, for example:

20cf305ff2072d973412fa9b1e3a4f227bda3c76

Step 5: Update your workflow

Replace the old or floating reference:

uses: step-security/harden-runner@v2.12.0

with the pinned commit:

uses: step-security/harden-runner@20cf305 # v2.14.0
(please check this is correct)

👉 Always keep the version comment (# v2.14.0) for readability.

Best practices checklist

✔ Always pin actions to a full commit SHA
✔ Keep the version comment (# vX.Y.Z)
✔ Prefer maintained forks over deprecated repos
✔ Verify the release date and activity
✔ Update pinned SHAs periodically

Would appreciate your help at doing your own research, improving on these guidelines!

✅ Acceptance Criteria

To be able to merge a pull request for this issue, we need:

• Changelog Entry: Correct changelog entry (please link to the documentation - see guide)
• Signed commits: commits must be DCO and GPG key signed (see guide)
• All Tests Pass: our workflow checks like unit and integration tests must pass
• Issue is Solved: The implementation fully addresses the issue requirements as described above
• No Further Changes are Made: Code review feedback has been addressed and no further changes are requested

📋 Step-by-Step Contribution Guide

If you have never contributed to an open source project at GitHub, the following step-by-step guide will introduce you to the workflow.

• Claim this issue: Comment below that you are interested in working on the issue. Without assignment, your pull requests might be closed and the issue given to another developer.
• Wait for assignment: A community member with the given rights will add you as an assignee of the issue
• Fork, Branch and Work on the issue: Create a copy of the repository, create a branch for the issue and solve the problem. For instructions, please read our Contributing guide file. Further help can be found at Set-up Training and Workflow Training.
• DCO and GPG key sign each commit : each commit must be -s and -S signed. An explanation on how to do this is at Signing Guide
• Add a Changelog Entry : your pull request will require a changelog. Read Changelog Entry Guide to learn how.
• Push and Create a Pull Request : Once your issue is resolved, and your commits are signed, and you have a changelog entry, push your changes and create a pull request. Detailed instructions can be found at Submit PR Training, part of Workflow Training.
• You did it 🎉: A maintainer or committer will review your pull request and provide feedback. If approved, we will merge the fix in the main branch. Thanks for being part of the Hiero community as an open-source contributor ❤️

IMPORTANT Your pull request CANNOT BE MERGED until you add a changelog entry AND sign your commits each with git commit -S -s -m "chore: your commit message" with a GPG key setup.

🤔 Additional Information

For more help, we have extensive documentation attributes:

• SDK Developer Docs
• SDK Developer Training

Additionally, we invite you to join our community on our Discord server.

We also invite you to attend each Wednesday, 2pm UTC our Python SDK Office Hour and Community Calls. The Python SDK Office hour is for hands-on-help and the Community Call for general community discussion.

You can also ask for help in a comment below!

[coderabbitai]

📝 CodeRabbit Plan Mode

Generate an implementation plan and prompts that you can use with your favorite coding agent.

• Create Plan

Examples

• Example 1
• Example 2

---

🔗 Similar Issues

Related Issues

• [Good First Issue]: Create docs/maintainers/good_first_issues.md #1034
• Create new document examples/sdk_developers/common_issues.md #508
• Expand README.md to add star information #472
• Move examples/sdk_developers/common_issues.md to docs/sdk_developers/common_issues.md #516
• Create a new explanatory document called changelog.md in /docs/sdk_developers #461
• [Good First Issue]: #1005
• [Good First Issue]: test #1002
• [Good First Issue]: Rename workflows so script and workflow names match #1198
• Expand CONTRIBUTING.md to clarify verified + DCO signing requirements and changelog check #440

🔗 Related PRs

#1123 - feat: Add workflow to notify team about Good first issues [merged]
#1128 - docs: add GFI-Guidelines Doc File [merged]
#1132 - docs: Add GFI-Management and GFI-Frequency docs files [merged]
#1133 - docs: gfi guidelines [merged]
#1173 - feat(ci): add workflow to remind pull requests to link issues [merged]

👤 Suggested Assignees

• exploreriii
• aceppaluni
• kplnosmn94-droid
• undefinedIsMyLife

---

🧪 Issue enrichment is currently in open beta.

You can configure auto-planning by selecting labels in the issue_enrichment configuration.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord or schedule a call!

[github-actions]

👋 Hello Team 👋

@hiero-ledger/hiero-sdk-good-first-issue-support

There is a new GFI in the Python SDK which is ready to be assigned

Repository: hiero-ledger/hiero-sdk-python : Issue: #1211 - [Good First Issue]: create docs/sdk_developers/how-to-pin-github-actions.md

Best Regards,
Python SDK team

[nagaraju504]

Hello!
I’m a beginner and I’d like to work on this issue.

[exploreriii]

Assigned, have fun with it - thank you