From 07e75cf6c6957738fe807ae4ac8daab8698e1985 Mon Sep 17 00:00:00 2001
From: Satya Kwok <119509589+satyakwok@users.noreply.github.com>
Date: Tue, 12 May 2026 05:20:25 +0200
Subject: [PATCH] ci: pin third-party GitHub Actions to commit SHAs

Replaces tag refs (`@v3`, `@v2`) with full commit SHAs. Comments preserve
the original tag for human readability and so dependabot can still propose
upgrades.

SHAs verified via GitHub commits API at the time of this commit.
---
 .github/workflows/ci.yml     | 2 +-
 .github/workflows/codeql.yml | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 21c2889..929f484 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -17,7 +17,7 @@ jobs:
       - uses: actions/checkout@v6
 
       - name: Install Foundry
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@c7450ba673e133f5ee30098b3b54f444d3a2ca2d # v1
         with:
           version: stable
 
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index b2d98d9..b14f532 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -23,9 +23,9 @@ jobs:
         language: ['javascript-typescript']
     steps:
       - uses: actions/checkout@v5
-      - uses: github/codeql-action/init@v4
+      - uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
         with:
           languages: ${{ matrix.language }}
-      - uses: github/codeql-action/analyze@v4
+      - uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
         with:
           category: '/language:${{ matrix.language }}'