From 6242b6c2e86cbfe5b133595156022eba8de968f3 Mon Sep 17 00:00:00 2001
From: Satya Kwok <119509589+satyakwok@users.noreply.github.com>
Date: Tue, 12 May 2026 05:20:05 +0200
Subject: [PATCH] ci: pin third-party GitHub Actions to commit SHAs

Replaces tag refs (`@v3`, `@v2`) with full commit SHAs. Comments preserve
the original tag for human readability and so dependabot can still propose
upgrades.

SHAs verified via GitHub commits API at the time of this commit.
---
 .github/workflows/ci.yml             | 2 +-
 .github/workflows/codeql.yml         | 4 ++--
 .github/workflows/docker-publish.yml | 8 ++++----
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a4b965a..02e9839 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -30,7 +30,7 @@ jobs:
       - uses: actions/checkout@v6
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v6
+        uses: pnpm/action-setup@739bfe42ca9233c5e6aca07c1a25a9d34aca49b0 # v6
         with:
           version: 9.12.0
           run_install: false
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 12e14ed..1cba0f7 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -23,9 +23,9 @@ jobs:
         language: ['javascript-typescript']
     steps:
       - uses: actions/checkout@v5
-      - uses: github/codeql-action/init@v3
+      - uses: github/codeql-action/init@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3
         with:
           languages: ${{ matrix.language }}
-      - uses: github/codeql-action/analyze@v3
+      - uses: github/codeql-action/analyze@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3
         with:
           category: '/language:${{ matrix.language }}'
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index f172ba6..a88848c 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -45,11 +45,11 @@ jobs:
         with:
           ref: ${{ inputs.tag || github.ref }}
 
-      - uses: docker/setup-qemu-action@v3
-      - uses: docker/setup-buildx-action@v3
+      - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
+      - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
 
       - name: Log in to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -83,7 +83,7 @@ jobs:
           } >> $GITHUB_OUTPUT
 
       - name: Build + push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
         with:
           context: .
           file: ${{ matrix.dockerfile }}