diff --git a/.github/workflows/pinact.yml b/.github/workflows/pinact.yml
new file mode 100644
index 0000000..fa94308
--- /dev/null
+++ b/.github/workflows/pinact.yml
@@ -0,0 +1,22 @@
+name: Pinact
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  pinact:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
+      - name: Verify GitHub Actions are pinned to full commit SHAs
+        uses: suzuki-shunsuke/pinact-action@896d595f299e71d65b9d28349d6956abe144390a # v3.0.0
+        with:
+          # Check-only: fail CI if any action is unpinned or a version comment
+          # does not match its SHA. Never modify files.
+          fix: "false"
+          verify: "true"
diff --git a/.pinact.yaml b/.pinact.yaml
new file mode 100644
index 0000000..c25f675
--- /dev/null
+++ b/.pinact.yaml
@@ -0,0 +1,6 @@
+version: 3
+files:
+  - pattern: .github/workflows/*.yml
+  - pattern: .github/workflows/*.yaml
+  - pattern: .github/actions/*/action.yml
+  - pattern: .github/actions/*/action.yaml