From 5c4e96738e437240a5ccf55daaf2fd3163d7b0f6 Mon Sep 17 00:00:00 2001
From: Patrick Kaeding <pkaeding@launchdarkly.com>
Date: Tue, 24 Mar 2026 10:44:44 -0400
Subject: [PATCH] [SEC-7924] chore: pin third-party GitHub Actions to commit
 SHAs

Pin all third-party GitHub Actions to full-length commit SHAs to prevent
supply chain attacks. Addresses findings from the
third-party-action-not-pinned-to-commit-sha Semgrep rule.
---
 .github/actions/publish/action.yml          | 4 ++--
 .github/workflows/check-openapi-updates.yml | 2 +-
 .github/workflows/go.yml                    | 2 +-
 .github/workflows/release-please.yml        | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/actions/publish/action.yml b/.github/actions/publish/action.yml
index d8adf902..1a2b8654 100644
--- a/.github/actions/publish/action.yml
+++ b/.github/actions/publish/action.yml
@@ -32,9 +32,9 @@ runs:
   using: composite
   steps:
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
     - name: Setup Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
       with:
         platforms: linux/amd64,linux/arm64/v8,linux/arm/v7,linux/386
     - name: Set up goreleaser
diff --git a/.github/workflows/check-openapi-updates.yml b/.github/workflows/check-openapi-updates.yml
index 4559a90a..79b341e9 100644
--- a/.github/workflows/check-openapi-updates.yml
+++ b/.github/workflows/check-openapi-updates.yml
@@ -20,7 +20,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Send Slack notification
-        uses: rtCamp/action-slack-notify@v2
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2
         env:
           SLACK_CHANNEL: proj-cli
           SLACK_COLOR: ${{ job.status }}
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index cc405dba..e05537fb 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -24,6 +24,6 @@ jobs:
       run: go build .
 
     - uses: actions/setup-python@v3
-    - uses: pre-commit/action@v3.0.1
+    - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
     - name: test
       run: go test ./...
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 5432fdd3..345f5876 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -14,7 +14,7 @@ jobs:
       release_created: ${{ steps.release.outputs.release_created }}
       tag_name: ${{ steps.release.outputs.tag_name }}
     steps:
-      - uses: google-github-actions/release-please-action@v4
+      - uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee # v4
         id: release
         with:
           token: ${{secrets.GITHUB_TOKEN}}