ipdxco · galargh · May 10, 2026
diff --git a/.github/actions/inspect-releaser/README.md b/.github/actions/inspect-releaser/README.md
@@ -37,7 +37,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: releaser
-        uses: ipdxco/unified-github-workflows/.github/actions/inspect-releaser@main
+        uses: ipdxco/unified-github-workflows/.github/actions/inspect-releaser@6d814de11369bb725d26e8d350ac62fe6811ff0a # main
         with:
           artifacts-url: ${{ github.event.inputs.artifacts-url || github.event.workflow_run.artifacts_url }}
       - if: ${{ steps.releaser.outputs.id == '' }}

diff --git a/.github/actions/inspect-releaser/action.yml b/.github/actions/inspect-releaser/action.yml
@@ -34,7 +34,7 @@ runs:
   using: composite
   steps:
     - id: workflow-run
-      uses: ipdxco/workflow-run-context@v1
+      uses: ipdxco/workflow-run-context@492ea3967eb2ca7ed76b7888b42fa7649addd975 # v1.1.1
       with:
         artifacts-url: ${{ inputs.artifacts-url }}
         artifact-names: ${{ inputs.artifact-name }}
diff --git a/.github/workflows/add-label-by-query.yml b/.github/workflows/add-label-by-query.yml
@@ -26,7 +26,7 @@ jobs:
           QUERY: ${{ github.event.inputs.query }}
           LABEL: ${{ github.event.inputs.label }}
           DRY_RUN: ${{ github.event.inputs.dry-run }}
-        uses: actions/github-script@v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
           result-encoding: string
           script: |

diff --git a/.github/workflows/check-3rd-party.yml b/.github/workflows/check-3rd-party.yml
@@ -9,7 +9,7 @@ jobs:
     outputs:
       targets: ${{ steps.set-matrix.outputs.targets }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - id: set-matrix
         run: |
           TARGETS=$(find . -type f -name "*.yml" | sed "s|^\./||" | grep -v workflow-templates/header.yml | jq -R -s -c 'split("\n")[:-1]')
@@ -23,7 +23,7 @@ jobs:
         file: ${{ fromJSON(needs.matrix.outputs.targets) }}
     name: ${{ matrix.file }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: ./.github/actions/render-templates
       - name: Run check
         env:

diff --git a/.github/workflows/check-yaml.yml b/.github/workflows/check-yaml.yml
@@ -12,9 +12,9 @@ jobs:
   check-yaml:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: ./.github/actions/render-templates
-      - uses: ipdxco/validate-yaml-schema@v1
+      - uses: ipdxco/validate-yaml-schema@9ad8180446c50787626d798c2230f80fe1d974d1 # v1.0.1
         with:
           yamlSchemasJson: |
             {

diff --git a/.github/workflows/copy-templates.yml b/.github/workflows/copy-templates.yml
@@ -23,7 +23,7 @@ jobs:
     outputs:
       defaults: ${{ steps.defaults.outputs.defaults }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - id: defaults
         name: Read defaults
         run: |

diff --git a/.github/workflows/create-prs.yml b/.github/workflows/create-prs.yml
@@ -22,7 +22,7 @@ jobs:
         env:
           BRANCH: ${{ github.event.inputs.branch }}
           DRY_RUN: ${{ github.event.inputs.dry-run }}
-        uses: actions/github-script@v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
           github-token: ${{ secrets.UCI_GITHUB_TOKEN }}
           retries: 0

diff --git a/.github/workflows/delete-branches.yml b/.github/workflows/delete-branches.yml
@@ -22,7 +22,7 @@ jobs:
         env:
           BRANCH: ${{ github.event.inputs.branch }}
           DRY_RUN: ${{ github.event.inputs.dry-run }}
-        uses: actions/github-script@v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
           github-token: ${{ secrets.UCI_GITHUB_TOKEN }}
           retries: 0

diff --git a/.github/workflows/dispatch.yml b/.github/workflows/dispatch.yml
@@ -27,7 +27,7 @@ jobs:
       batches: ${{ steps.matrix.outputs.result }}
     steps:
       - id: matrix
-        uses: actions/github-script@v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         env:
           FILTER: ${{ inputs.filter }}
         with:

diff --git a/.github/workflows/go-check.yml b/.github/workflows/go-check.yml
@@ -52,13 +52,13 @@ jobs:
       - name: Create GitHub App installation token
         id: checkout-app
         if: steps.secrets.outputs.CHECKOUT_APP_ID == 'true' && steps.secrets.outputs.CHECKOUT_PRIVATE_KEY == 'true'
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         with:
           app-id: ${{ secrets.CHECKOUT_APP_ID }}
           private-key: ${{ secrets.CHECKOUT_PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
       - name: Check out the repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           submodules: recursive
           token: ${{ steps.checkout-app.outputs.token || secrets.CHECKOUT_TOKEN || github.token }}
@@ -77,20 +77,20 @@ jobs:
           fi
       - name: Check out the latest stable version of Go
         id: stable
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: stable
           cache: false
       - name: Read the Unified GitHub Workflows configuration
         id: config
-        uses: ipdxco/unified-github-workflows/.github/actions/read-config@main
+        uses: ipdxco/unified-github-workflows/.github/actions/read-config@6d814de11369bb725d26e8d350ac62fe6811ff0a # main
       - name: Read the go.mod file
         id: go-mod
-        uses: ipdxco/unified-github-workflows/.github/actions/read-go-mod@main
+        uses: ipdxco/unified-github-workflows/.github/actions/read-go-mod@6d814de11369bb725d26e8d350ac62fe6811ff0a # main
       - name: Set up the Go version read from the go.mod file
         id: go
         if: (inputs.go-version || fromJSON(steps.go-mod.outputs.json).Go) != steps.stable.outputs.go-version || inputs.go-cache != 'false'
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: ${{ inputs.go-version || fromJSON(steps.go-mod.outputs.json).Go }}
           cache: ${{ inputs.go-cache }}
@@ -170,7 +170,7 @@ jobs:
             go get github.com/golangci/golangci-lint/v2/cmd/golangci-lint@$version ||
             go get github.com/golangci/golangci-lint/cmd/golangci-lint@$version
       - name: Check that go.mod is tidy
-        uses: protocol/multiple-go-modules@v1.4
+        uses: protocol/multiple-go-modules@ac694baecddc63fc5ba8fe8262d46659fbbf911d # v1.4
         with:
           run: |
             go mod tidy
@@ -189,19 +189,19 @@ jobs:
           fi
       - name: go vet
         if: success() || failure() # run this step even if the previous one failed
-        uses: protocol/multiple-go-modules@v1.4
+        uses: protocol/multiple-go-modules@ac694baecddc63fc5ba8fe8262d46659fbbf911d # v1.4
         with:
           run: go vet ./...
       - name: staticcheck
         if: success() || failure() # run this step even if the previous one failed
-        uses: protocol/multiple-go-modules@v1.4
+        uses: protocol/multiple-go-modules@ac694baecddc63fc5ba8fe8262d46659fbbf911d # v1.4
         with:
           run: |
             set -o pipefail
             staticcheck ./... | sed -e 's@\(.*\)\.go@./\1.go@g'
       - name: golangci-lint run
         if: (success() || failure()) && hashFiles('.golangci.yml', '.golangci.toml', '.golangci.json', '.golangci.yaml') != ''
-        uses: protocol/multiple-go-modules@v1.4
+        uses: protocol/multiple-go-modules@ac694baecddc63fc5ba8fe8262d46659fbbf911d # v1.4
         env:
           NEW_FROM_REV: ${{
               steps.github.outputs.base_sha && !(
@@ -218,7 +218,7 @@ jobs:
         with:
           run: golangci-lint run --disable govet --disable staticcheck --new=false --new-from-patch= --new-from-rev=$NEW_FROM_REV --verbose
       - name: go generate
-        uses: protocol/multiple-go-modules@v1.4
+        uses: protocol/multiple-go-modules@ac694baecddc63fc5ba8fe8262d46659fbbf911d # v1.4
         if: (success() || failure()) && fromJSON(steps.config.outputs.json).gogenerate == true
         env:
           IGNORE_PROTOC_VERSION_COMMENTS: ${{ inputs.go-generate-ignore-protoc-version-comments }}

diff --git a/.github/workflows/go-test.yml b/.github/workflows/go-test.yml
@@ -77,7 +77,7 @@ jobs:
       - name: Create GitHub App installation token
         id: checkout-app
         if: steps.secrets.outputs.CHECKOUT_APP_ID == 'true' && steps.secrets.outputs.CHECKOUT_PRIVATE_KEY == 'true'
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         with:
           app-id: ${{ secrets.CHECKOUT_APP_ID }}
           private-key: ${{ secrets.CHECKOUT_PRIVATE_KEY }}
@@ -90,22 +90,22 @@ jobs:
         #   subsequent 'shell: bash' steps will use msys2 instead of gitbash
         run: echo "C:/msys64/usr/bin" >> $GITHUB_PATH
       - name: Check out the repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           submodules: recursive
           token: ${{ steps.checkout-app.outputs.token || secrets.CHECKOUT_TOKEN || github.token }}
       - name: Check out the latest stable version of Go
         id: stable
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: stable
           cache: false
       - name: Read the Unified GitHub Workflows configuration
         id: config
-        uses: ipdxco/unified-github-workflows/.github/actions/read-config@main
+        uses: ipdxco/unified-github-workflows/.github/actions/read-config@6d814de11369bb725d26e8d350ac62fe6811ff0a # main
       - name: Read the go.mod file
         id: go-mod
-        uses: ipdxco/unified-github-workflows/.github/actions/read-go-mod@main
+        uses: ipdxco/unified-github-workflows/.github/actions/read-go-mod@6d814de11369bb725d26e8d350ac62fe6811ff0a # main
       - name: Determine the Go version to use based on the go.mod file
         id: go
         env:
@@ -145,7 +145,7 @@ jobs:
           echo "GO386FLAGS=-v $GO386FLAGS" >> $GITHUB_ENV
           echo "GORACEFLAGS=-v $GORACEFLAGS" >> $GITHUB_ENV
       - name: Set up the Go version read from the go.mod file
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         if: steps.go.outputs.version != steps.stable.outputs.go-version || inputs.go-cache != 'false'
         with:
           go-version: ${{ steps.go.outputs.version }}
@@ -159,7 +159,7 @@ jobs:
         if: hashFiles('./.github/actions/go-test-setup') != ''
       - name: Run tests
         if: contains(fromJSON(steps.config.outputs.json).skipOSes, matrix.os) == false
-        uses: protocol/multiple-go-modules@v1.4
+        uses: protocol/multiple-go-modules@ac694baecddc63fc5ba8fe8262d46659fbbf911d # v1.4
         env:
           GOFLAGS: ${{ format('{0} {1}', env.GOTESTFLAGS, env.GOFLAGS) }}
           CGO_ENABLED: ${{ toJSON(fromJSON(steps.config.outputs.json).cgo) != 'false' }}
@@ -171,7 +171,7 @@ jobs:
           contains(steps.config.outputs.json, '"skip32bit"') &&
           fromJSON(steps.config.outputs.json).skip32bit == false &&
           contains(fromJSON(steps.config.outputs.json).skipOSes, matrix.os) == false
-        uses: protocol/multiple-go-modules@v1.4
+        uses: protocol/multiple-go-modules@ac694baecddc63fc5ba8fe8262d46659fbbf911d # v1.4
         env:
           GOARCH: 386
           GOFLAGS: ${{ format('{0} {1}', env.GO386FLAGS, env.GOFLAGS) }}
@@ -185,7 +185,7 @@ jobs:
         if: matrix.os == 'ubuntu' &&
           fromJSON(steps.config.outputs.json).skipRace != true &&
           contains(fromJSON(steps.config.outputs.json).skipOSes, matrix.os) == false
-        uses: protocol/multiple-go-modules@v1.4
+        uses: protocol/multiple-go-modules@ac694baecddc63fc5ba8fe8262d46659fbbf911d # v1.4
         env:
           GOFLAGS: ${{ format('{0} {1}', env.GORACEFLAGS, env.GOFLAGS) }}
           CGO_ENABLED: ${{ toJSON(fromJSON(steps.config.outputs.json).cgo) != 'false' }}
@@ -196,7 +196,7 @@ jobs:
         run: echo "files=$(find . -type f -name 'module-coverage.txt' | tr -s '\n' ',' | sed 's/,$//')" >> $GITHUB_OUTPUT
       - name: Upload coverage to Codecov
         if: steps.secrets.outputs.CODECOV_TOKEN == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
         env:
           OS: ${{ matrix.os }}
           GO: ${{ steps.go.outputs.version }}