ByronWilliamsCPA · williaby · May 30, 2026
diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml
@@ -23,7 +23,7 @@ jobs:
     name: Upload Coverage
     # Only run on successful CI completion
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
-    uses: ByronWilliamsCPA/.github/.github/workflows/python-codecov.yml@main
+    uses: ByronWilliamsCPA/.github/.github/workflows/python-codecov.yml@40ff5b5615e786ee0867e1b9e8f21a4735036e63 # main
     with:
       artifact-name: 'coverage-reports'
       coverage-files: '*.xml'

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -34,7 +34,7 @@ jobs:
 
     steps:
       - name: Harden the runner
-        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           egress-policy: audit
 
@@ -57,13 +57,13 @@ jobs:
         run: uv sync --no-dev
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@0daab03d71ff584ef619d027a3fd9146679c5d84 # v3.35.3
+        uses: github/codeql-action/init@03e4368ac7daa2bd82b3e85262f3bf87ee112f57 # v3.36.0
         with:
           languages: python
           build-mode: none
           queries: security-extended,security-and-quality
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@0daab03d71ff584ef619d027a3fd9146679c5d84 # v3.35.3
+        uses: github/codeql-action/analyze@03e4368ac7daa2bd82b3e85262f3bf87ee112f57 # v3.36.0
         with:
           category: "/language:python"
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -23,7 +23,7 @@ jobs:
   upload-coverage:
     name: Upload Coverage to Qlty
     if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
-    uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@main
+    uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@40ff5b5615e786ee0867e1b9e8f21a4735036e63 # main
     with:
       coverage-artifact-name: coverage-reports
       coverage-file-path: coverage.xml

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -21,7 +21,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Dependency Review
         uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -29,7 +29,7 @@ permissions:
 
 jobs:
   docs:
-    uses: ByronWilliamsCPA/.github/.github/workflows/python-docs.yml@main
+    uses: ByronWilliamsCPA/.github/.github/workflows/python-docs.yml@40ff5b5615e786ee0867e1b9e8f21a4735036e63 # main
     with:
       python-version: '3.12'
       docs-directory: 'docs'

diff --git a/.github/workflows/fips-compatibility.yml b/.github/workflows/fips-compatibility.yml
@@ -52,7 +52,7 @@ permissions:
 
 jobs:
   fips-check:
-    uses: ByronWilliamsCPA/.github/.github/workflows/python-fips-compatibility.yml@main
+    uses: ByronWilliamsCPA/.github/.github/workflows/python-fips-compatibility.yml@40ff5b5615e786ee0867e1b9e8f21a4735036e63 # main
     with:
       strict-mode: ${{ github.event.inputs.strict_mode == 'true' }}
       include-tests: true

diff --git a/.github/workflows/mutation-testing.yml b/.github/workflows/mutation-testing.yml
@@ -40,7 +40,7 @@ jobs:
     name: Mutation Testing
     # Skip on forks (no PR comment permissions)
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
-    uses: ByronWilliamsCPA/.github/.github/workflows/python-mutation.yml@main
+    uses: ByronWilliamsCPA/.github/.github/workflows/python-mutation.yml@40ff5b5615e786ee0867e1b9e8f21a4735036e63 # main
     with:
       python-version: '3.12'
       source-directory: 'src'

diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml
@@ -29,7 +29,7 @@ jobs:
   # Supplemental PR Checks (Changelog, Link Validation)
   # ==========================================================================
   supplemental-checks:
-    uses: ByronWilliamsCPA/.github/.github/workflows/python-supplemental-checks.yml@e8fc83c98c2971ad1ece71573d28171463e30c16 # main
+    uses: ByronWilliamsCPA/.github/.github/workflows/python-supplemental-checks.yml@40ff5b5615e786ee0867e1b9e8f21a4735036e63 # main
     with:
       # Changelog enforcement
       enable-changelog-check: true
@@ -56,7 +56,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden the runner
-        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           egress-policy: audit
 

diff --git a/.github/workflows/python-compatibility.yml b/.github/workflows/python-compatibility.yml
@@ -34,7 +34,7 @@ permissions:
 
 jobs:
   compatibility:
-    uses: ByronWilliamsCPA/.github/.github/workflows/python-compatibility.yml@main
+    uses: ByronWilliamsCPA/.github/.github/workflows/python-compatibility.yml@40ff5b5615e786ee0867e1b9e8f21a4735036e63 # main
     with:
       python-versions: '["3.10", "3.11", "3.12", "3.13"]'
       operating-systems: '["ubuntu-latest"]'

diff --git a/.github/workflows/qlty.yml b/.github/workflows/qlty.yml
@@ -15,7 +15,7 @@ concurrency:
 jobs:
   qlty:
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
-    uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@main
+    uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@40ff5b5615e786ee0867e1b9e8f21a4735036e63 # main
     permissions:
       contents: read
       actions: read

diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml
@@ -24,7 +24,7 @@ permissions: read-all
 
 jobs:
   reuse:
-    uses: ByronWilliamsCPA/.github/.github/workflows/python-reuse.yml@main
+    uses: ByronWilliamsCPA/.github/.github/workflows/python-reuse.yml@40ff5b5615e786ee0867e1b9e8f21a4735036e63 # main
     with:
       generate-spdx: true
       fail-on-missing: true

diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -35,7 +35,7 @@ permissions:
 jobs:
   sbom:
     name: SBOM & Security
-    uses: ByronWilliamsCPA/.github/.github/workflows/python-sbom.yml@main
+    uses: ByronWilliamsCPA/.github/.github/workflows/python-sbom.yml@40ff5b5615e786ee0867e1b9e8f21a4735036e63 # main
     with:
       python-version: '3.12'
       fail-on-vulnerabilities: true

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -26,7 +26,7 @@ permissions:
 
 jobs:
   scorecard:
-    uses: ByronWilliamsCPA/.github/.github/workflows/python-scorecard.yml@main
+    uses: ByronWilliamsCPA/.github/.github/workflows/python-scorecard.yml@40ff5b5615e786ee0867e1b9e8f21a4735036e63 # main
     with:
       publish-results: true
       upload-sarif: true

diff --git a/.github/workflows/security-analysis.yml b/.github/workflows/security-analysis.yml
@@ -34,7 +34,7 @@ permissions:
 
 jobs:
   security:
-    uses: ByronWilliamsCPA/.github/.github/workflows/python-security-analysis.yml@main
+    uses: ByronWilliamsCPA/.github/.github/workflows/python-security-analysis.yml@40ff5b5615e786ee0867e1b9e8f21a4735036e63 # main
     with:
       source-directory: 'src'
       python-version: '3.12'

diff --git a/.github/workflows/slsa-provenance.yml b/.github/workflows/slsa-provenance.yml
@@ -41,7 +41,7 @@ jobs:
 
     steps:
       - name: Harden the runner
-        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           egress-policy: audit
 
@@ -98,7 +98,7 @@ jobs:
   slsa:
     name: SLSA Level 3
     needs: [build]
-    uses: ByronWilliamsCPA/.github/.github/workflows/python-slsa.yml@main
+    uses: ByronWilliamsCPA/.github/.github/workflows/python-slsa.yml@40ff5b5615e786ee0867e1b9e8f21a4735036e63 # main
     with:
       base64-subjects: ${{ needs.build.outputs.hashes }}
       upload-assets: true

diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
@@ -32,7 +32,7 @@ permissions:
 
 jobs:
   sonarcloud:
-    uses: ByronWilliamsCPA/.github/.github/workflows/python-sonarcloud.yml@e8fc83c98c2971ad1ece71573d28171463e30c16 # main
+    uses: ByronWilliamsCPA/.github/.github/workflows/python-sonarcloud.yml@40ff5b5615e786ee0867e1b9e8f21a4735036e63 # main
     with:
       sonar-organization: byronwilliamscpa
       sonar-project-key: ByronWilliamsCPA_python-libs