From 4dd984e0c93bc7837acb44e03106e362da48384c Mon Sep 17 00:00:00 2001
From: Arturas Raizys <arturas.raizys@argyle.com>
Date: Wed, 8 Apr 2026 19:02:49 +0300
Subject: [PATCH] chore: pin GitHub Actions to full-length commit SHAs

---
 .github/workflows/build-android-apk.yaml |  8 ++++----
 .github/workflows/build-ios-ipa.yaml     | 10 +++++-----
 .github/workflows/codeql.yaml            |  8 ++++----
 .github/workflows/publish-sdk.yaml       |  4 ++--
 4 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/build-android-apk.yaml b/.github/workflows/build-android-apk.yaml
index ff588bf..571196f 100644
--- a/.github/workflows/build-android-apk.yaml
+++ b/.github/workflows/build-android-apk.yaml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
     - name: Install npm dependencies
       run: |
         cd example
@@ -25,7 +25,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
     - name: Install npm dependencies
       run: |
         cd example
@@ -45,7 +45,7 @@ jobs:
         rsync -Rr . example/node_modules/@argyleio/argyle-plugin-react-native
 
     - name: Set up JDK 17
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0
       with:
         java-version: 17
         distribution: 'temurin'
@@ -56,7 +56,7 @@ jobs:
         ./gradlew assembleRelease
 
     - name: Archive APK
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: apk-app-development-release
         path: example/android/app/build/outputs/apk/release/app-release.apk
diff --git a/.github/workflows/build-ios-ipa.yaml b/.github/workflows/build-ios-ipa.yaml
index 2127e5f..14fbfa3 100644
--- a/.github/workflows/build-ios-ipa.yaml
+++ b/.github/workflows/build-ios-ipa.yaml
@@ -11,11 +11,11 @@ jobs:
     runs-on: macos-latest
 
     steps:
-    - uses: maxim-lobanov/setup-xcode@v1
+    - uses: maxim-lobanov/setup-xcode@ed7a3b1fda3918c0306d1b724322adc0b8cc0a90 # v1.7.0
       with:
         xcode-version: '26.0'
 
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
     - name: Install npm dependencies and add dummy version to package.json
       run: |
@@ -37,13 +37,13 @@ jobs:
         rsync -Rr . example/node_modules/@argyleio/argyle-plugin-react-native
 
     - name: Import Codesigning Certificate
-      uses: apple-actions/import-codesign-certs@v3
+      uses: apple-actions/import-codesign-certs@63fff01cd422d4b7b855d40ca1e9d34d2de9427d # v3.0.0
       with:
         p12-file-base64: ${{ secrets.ARGYLE_LINK_IOS_SIGNING_CERT_P12 }}
         p12-password: ${{ secrets.ARGYLE_LINK_IOS_SIGNING_CERT_PASS }}
 
     - name: Install Provisioning Profile
-      uses: akiojin/install-provisioning-profile-github-action@v1.0
+      uses: akiojin/install-provisioning-profile-github-action@e3f58307bd921490aed4691bb568ce4eb2849c62 # v1.0
       with:
         base64: ${{ secrets.ARGYLE_LINK_IOS_SIGNING_PROVISIONING }}
 
@@ -68,7 +68,7 @@ jobs:
         xcodebuild -exportArchive -archivePath ./demo.xcarchive -exportOptionsPlist ../../.github/configs/exportOptions.plist -exportPath build-demo
 
     - name: Archive IPA
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: ipa-LinkReactNative
         path: example/ios/build-demo/LinkReactNative.ipa
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
index 188adf7..a53e5d7 100644
--- a/.github/workflows/codeql.yaml
+++ b/.github/workflows/codeql.yaml
@@ -20,14 +20,14 @@ jobs:
       security-events: write
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
-    - uses: github/codeql-action/init@v3
+    - uses: github/codeql-action/init@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3.35.1
       with:
         languages: javascript
 
-    - uses: github/codeql-action/autobuild@v3
+    - uses: github/codeql-action/autobuild@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3.35.1
 
-    - uses: github/codeql-action/analyze@v3
+    - uses: github/codeql-action/analyze@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3.35.1
       with:
         category: "/language:javascript"
diff --git a/.github/workflows/publish-sdk.yaml b/.github/workflows/publish-sdk.yaml
index 7f5f8fe..ba57fb9 100644
--- a/.github/workflows/publish-sdk.yaml
+++ b/.github/workflows/publish-sdk.yaml
@@ -12,9 +12,9 @@ jobs:
   publish-sdk:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 24
           registry-url: 'https://registry.npmjs.org'