From 293c2d6e93455e71a5494e7119facd2abc7cd41e Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Fri, 22 May 2026 18:03:22 +0200
Subject: [PATCH] SHA pin first-party GitHub Actions

Pins every actions/* and github/* uses: reference in
.github/workflows to its commit SHA, with the human-readable
version preserved in a trailing comment, matching the convention
already used for third-party actions. Removes the supply-chain
exposure left by floating @vN tags now that dependabot has a
3-day cooldown configured.

Follows https://github.com/cli/cli/pull/13491 (cli/cli) and
https://github.com/cli/cli/issues/13490.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/codeql.yml | 8 ++++----
 .github/workflows/push.yml   | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 886480a..0ebcdba 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -25,21 +25,21 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup Go
         if: matrix.language == 'go'
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version-file: "go.mod"
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4.35.5
+        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           languages: ${{ matrix.language }}
           queries: security-and-quality
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4.35.5
+        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           category: "/language:${{ matrix.language }}"
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index 7e74061..37a250b 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -16,11 +16,11 @@ jobs:
     name: Test suite
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Setup go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version-file: go.mod
       - run: go test -v ./...