From 41c9457d58f5068c9448fbc0030b55c2d128c712 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sat, 20 Jun 2026 21:55:15 +0000
Subject: [PATCH] docs: bump the README actions/checkout pin example to v7.0.0
 (#53)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The "Pinning third-party actions" example still showed `# v4.3.1` while every
workflow in the repo now pins `actions/checkout` at `# v7.0.0`; update the doc
example to match so it reads like the actual code.

(#60/#43/#62/#61 — the rest of this PR's original scope — landed on main
independently via #69/#66/#64/#65, so this branch is reduced to just the #53
doc fix.)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01GKLYLEuXjYyvnmfXdwdpdG
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 3745daa..60077c3 100644
--- a/README.md
+++ b/README.md
@@ -206,7 +206,7 @@ Every **third-party** action is pinned to a full commit SHA, with the
 human-readable version in a trailing comment, e.g.:
 
 ```yaml
-uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 ```
 
 This is GitHub's [recommended hardening posture](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions):