While researching GitHub Actions security best practices for a talk, I asked myself: "How many GitHub repositories actually pin their dependencies?"
As I was not able to find any hard numbers, I went to gather the data myself. The results (and raw data) are available at:
http://pin-gh-actions.kammel.dev/
The code is available on GitHub:
https://github.com/datosh/pinned-actions in case you want to replicate the data or report any issues.