From cb849f973be34bf1c3c7368f15d133d24581aa57 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Fri, 12 Jun 2026 16:35:45 +0000
Subject: [PATCH] root - chore: defense - pin all GitHub Actions to full SHAs

Pin every third-party GitHub Action to a full commit SHA (with a version
comment) instead of a floating major tag. Mutable tag/branch refs can be
moved to point at malicious commits; commit SHAs are immutable. This is a
supply-chain / defense-in-depth hardening change (no behavior change).

- actions/checkout       v6 -> df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- actions/setup-node     v6 -> 48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
- codecov/codecov-action v7 -> fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
- github/codeql-action/{init,autobuild,analyze} v4 -> 8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2

pnpm/action-setup was already SHA-pinned (v6.0.8). All four workflow files
still parse.

https://claude.ai/code/session_01Px42UMbWbPmi3d5YeKHwKa
---
 .github/workflows/code-coverage.yaml | 6 +++---
 .github/workflows/codeql.yaml        | 8 ++++----
 .github/workflows/release.yaml       | 4 ++--
 .github/workflows/tests.yaml         | 4 ++--
 4 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/code-coverage.yaml b/.github/workflows/code-coverage.yaml
index aa1dc47..302efeb 100644
--- a/.github/workflows/code-coverage.yaml
+++ b/.github/workflows/code-coverage.yaml
@@ -23,13 +23,13 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
     - name: Install pnpm
       uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
 
     - name: Use Node.js 22
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
       with:
         node-version: 22
         cache: 'pnpm'
@@ -44,7 +44,7 @@ jobs:
       run: pnpm test
       
     - name: Code Coverage
-      uses: codecov/codecov-action@v7
+      uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
       with:
         token: ${{ secrets.CODECOV_TOKEN }}
         slug: Hyphen/nodejs-sdk
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
index 36de730..05a7321 100644
--- a/.github/workflows/codeql.yaml
+++ b/.github/workflows/codeql.yaml
@@ -39,11 +39,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
+      uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -57,7 +57,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v4
+      uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -70,6 +70,6 @@ jobs:
     #   ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4
+      uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
       with:
         category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index f0212db..2d061aa 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -21,13 +21,13 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
     - name: Install pnpm
       uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
 
     - name: Use Node.js 22
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
       with:
         node-version: 22
         cache: 'pnpm'
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
index 3196c26..988a71d 100644
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -27,13 +27,13 @@ jobs:
         node-version: ['22', '24', '26']
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
     - name: Install pnpm
       uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
 
     - name: Use Node.js ${{ matrix.node-version }}
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
       with:
         node-version: ${{ matrix.node-version }}
         cache: 'pnpm'