From 03a7768436bfb27b822b02990d3c12bfde7f8e5b Mon Sep 17 00:00:00 2001
From: Alfonso Embid-Desmet <alfperata@gmail.com>
Date: Mon, 25 May 2026 10:57:37 -0700
Subject: [PATCH] security: pin GitHub Actions to SHA hashes

Pin all third-party GitHub Actions to full SHA references
to prevent supply chain attacks via tag manipulation or
typosquatting.

Ref: https://rosesecurity.dev/2026/03/20/typosquatting-trivy.html
---
 .github/workflows/nightly.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index ef373ebfe7..8fcc9f1c15 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -31,7 +31,7 @@ jobs:
 
     - name: Create Pull Request
       id: cpr
-      uses: peter-evans/create-pull-request@v3
+      uses: peter-evans/create-pull-request@18f7dc018cc2cd597073088f7c7591b9d1c02672 # v3.14.0
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         commit-message: Updated Packages