From e9546ee71ecdf4f6c194281761b314b6107ef9a8 Mon Sep 17 00:00:00 2001
From: joel-phantom <222027182+joel-phantom@users.noreply.github.com>
Date: Fri, 24 Apr 2026 16:50:28 +0000
Subject: [PATCH] chore(ci): pin external GitHub Actions to commit SHAs
 (SEC-9867)

Pins the remaining unpinned external `uses:` references in
`.github/workflows/*.yml|*.yaml` and `.github/actions/*/action.yml|yaml`
composite actions to full 40-character commit SHAs so the org
can enable the pin-to-SHA policy.

Refs:
- SEC-6683 (audit) https://linear.app/phantom-labs/issue/SEC-6683
- SEC-9867 (this)  https://linear.app/phantom-labs/issue/SEC-9867
---
 .github/workflows/ci.yml    |  4 ++--
 .github/workflows/pages.yml | 10 +++++-----
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 172a5c83..a378845a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,10 +12,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
 
       - name: Use Node.js 16
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3
         with:
           node-version: 16
           cache: "yarn"
diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml
index 251d245e..bd59c82b 100644
--- a/.github/workflows/pages.yml
+++ b/.github/workflows/pages.yml
@@ -23,14 +23,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Setup Node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3
         with:
           node-version: "18"
           cache: yarn
       - name: Setup Pages
-        uses: actions/configure-pages@v3
+        uses: actions/configure-pages@b8130d9ab958b325bbde9786d62f2c97a9885a0e # v3
       - name: Install dependencies
         run: yarn install
       - name: Build
@@ -40,7 +40,7 @@ jobs:
           mv multichain/blocklist-full.json ./out/multichain/
           mv blocklist-full.json ./out/
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v1
+        uses: actions/upload-pages-artifact@84bb4cd4b733d5c320c9c9cfbc354937524f4d64 # v1
         with:
           path: ./out
 
@@ -54,4 +54,4 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v1
+        uses: actions/deploy-pages@f27bcc15848fdcdcc02f01754eb838e44bcf389b # v1