Update precommit hooks and github action with 10 days cooldown and pin to sha1 commit

[BarbUk]

Description

Update pre-commit hooks and github action with a 10 days cooldown period and pin to sha1 release instead of using tag.

Motivation and Context

Following the multiple supply chain security issue in the node / python ecosystem, pinning to sha seems a good idea.

How Has This Been Tested?

Updates the hooks, and ran the hooks with prek run -a or pre-commit run -a:

❯ prek run -a
trim trailing whitespace....................................................Passed
fix end of files............................................................Passed
check for merge conflicts...................................................Passed
mixed line ending...........................................................Passed
check for added large files.................................................Passed
Check for conflict markers and core.whitespace errors.......................Passed
Test shell scripts with shellcheck..........................................Passed
Check shell style with shfmt................................................Passed
CRLF end-lines remover......................................................Passed
Check .sh files against bash-it requirements................................Passed
Check .bash files against bash-it requirements..............................Passed
Check that clean_files.txt is sorted alphabetically.........................Passed

❯ pre-commit run -a
[INFO] Initializing environment for https://github.com/jumanjihouse/pre-commit-hooks.
[INFO] Initializing environment for https://github.com/Lucas-C/pre-commit-hooks.
[INFO] Installing environment for https://github.com/pre-commit/pre-commit-hooks.
[INFO] Once installed this environment will be reused.
[INFO] This may take a few minutes...
[INFO] Installing environment for https://github.com/Lucas-C/pre-commit-hooks.
[INFO] Once installed this environment will be reused.
[INFO] This may take a few minutes...
trim trailing whitespace....................................................Passed
fix end of files............................................................Passed
check for merge conflicts...................................................Passed
mixed line ending...........................................................Passed
check for added large files.................................................Passed
Check for conflict markers and core.whitespace errors.......................Passed
Test shell scripts with shellcheck..........................................Passed
Check shell style with shfmt................................................Passed
CRLF end-lines remover......................................................Passed
Check .sh files against bash-it requirements................................Passed
Check .bash files against bash-it requirements..............................Passed
Check that clean_files.txt is sorted alphabetically.........................Passed

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• If my change requires a change to the documentation, I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• If I have added a new file, I also added it to clean_files.txt and formatted it using lint_clean_files.sh.
• I have added tests to cover my changes, and all the new and existing tests pass.

[BarbUk]

#2378 should be merged before for the CI to pass.

[seefood]

see #2379, I think it covers this. not sure I want to lock odwn to specific sha versions, major version should be good enough, no?

[BarbUk]

note that this PR is still a draft, as I didn't finish the tests.
I'll check #2379 in the meantime.

major version should be good enough, no?

Nope, tag or releases are not immutable.

see for recent exemples:
https://michaelheap.com/pin-your-github-actions/
https://rosesecurity.dev/2026/03/20/typosquatting-trivy

[seefood]

I thought we could at least trust github's actions/ collection...

[BarbUk]

Yes, with build attestation, but I don't think it's possible yet with github action to validate it:
https://docs.github.com/en/actions/how-tos/secure-your-work/use-artifact-attestations/use-artifact-attestations

[BarbUk]

The current good practice for action / dependencies should be:

• use sha pinning where possible
• require signed commits on workflow file changes
• restrict allowed actions at the org level to an explicit allowlist

[BarbUk]

I should also document how to update with sha pinning and a cooldown of 10 days:

• action:

pinact run --update --min-age 10

• pre-commit hooks

prek autoupdate --freeze --cooldown-days 10 

[seefood]

so for completeness:
https://github.com/suzuki-shunsuke/pinact
https://prek.j178.dev/

thanks! I'm smarter today :)

[BarbUk]

so for completeness:
https://github.com/suzuki-shunsuke/pinact
https://prek.j178.dev/

Exactly.

I will make another PR to add this information in the readme or in https://github.com/Bash-it/bash-it/blob/master/docs/development.rst