pinact is a command-line interface (CLI) tool designed for managing GitHub Actions and Composite actions. It allows users to pin versions of actions and reusable workflows by commit hash, addressing security concerns tied to mutable GitHub tags. By using full-length commit SHA for pinning, pinact helps prevent malicious changes that could introduce vulnerabilities. The tool can also update versions, verify annotations, and generate reviews, making it comprehensive for managing GitHub workflows. To use pinact, run it from the root directory of a Git repository. The tool targets specific files, such as `.github/workflows/*.yml` and `action.yml`, but allows customization of target files through command-line arguments or configuration files. Features like skipping recently released versions help avoid potential instability. Users need to manage GitHub access tokens, which can be done via environment variables or secret stores like Windows Credential Manager. As of version 3.3.0, pinact supports creating reviews through the GitHub API, requiring a token with the appropriate permissions. However, it cannot create reviews on unchanged files in a pull request. The tool includes an optional configuration file for easier management and validation options to check if actions are pinned without fixing them. If actions aren't pinned, the command fails, ensuring compliance with pinning best practices.