Describe the issue
Github Actions should pin the actions in workflows to SHA to prevent supply chain attacks such as this:
https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066

Examples
Please share an example code sample (in the IaC of your choice) + the expected outcomes.

Workflow using version pinning

name: Example version pinning
permissions:
  contents: read

on:
  pull_request:

jobs:
  checkoutCode:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

Desired result

Check: CKV_GHA_XX: "Ensure Github Action sources use a commit hash"

Additional context

A similar check exists for terraform:
https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/module/generic/RevisionHash.py#L12