From 89e656d5b09363b978e43932cf515a45f97d5eb4 Mon Sep 17 00:00:00 2001
From: slawomirbabicz <111378977+slawomirbabicz@users.noreply.github.com>
Date: Fri, 10 Apr 2026 09:16:16 +0200
Subject: [PATCH 1/4] chore: pin actions to SHA in
 .github/workflows/airflow-content-syncer-container.yaml

---
 .github/workflows/airflow-content-syncer-container.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/airflow-content-syncer-container.yaml b/.github/workflows/airflow-content-syncer-container.yaml
index abadc22b..a0bdd77e 100644
--- a/.github/workflows/airflow-content-syncer-container.yaml
+++ b/.github/workflows/airflow-content-syncer-container.yaml
@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-latest
     # This image is based on ubuntu:20.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - uses: ./.github/workflows/publish
         name: Create airflow-content-syncer container
         with:
@@ -36,7 +36,7 @@ jobs:
     runs-on: ubuntu-latest
     # This image is based on ubuntu:20.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - uses: ./.github/workflows/publish
         name: Create and publish airflow-content-syncer container
         with:

From b8930afe07a2b66706365e745d3720a5f221da45 Mon Sep 17 00:00:00 2001
From: slawomirbabicz <111378977+slawomirbabicz@users.noreply.github.com>
Date: Fri, 10 Apr 2026 09:16:17 +0200
Subject: [PATCH 2/4] chore: pin actions to SHA in
 .github/workflows/airflow-content.yaml

---
 .github/workflows/airflow-content.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/airflow-content.yaml b/.github/workflows/airflow-content.yaml
index 34504f29..5735ad82 100644
--- a/.github/workflows/airflow-content.yaml
+++ b/.github/workflows/airflow-content.yaml
@@ -16,6 +16,6 @@ jobs:
     name: Test Airflow content
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - name: Test
         uses: ./.github/workflows/test

From 67f96fb1458730edc7c73d01c7cdd10b4d52b515 Mon Sep 17 00:00:00 2001
From: slawomirbabicz <111378977+slawomirbabicz@users.noreply.github.com>
Date: Fri, 10 Apr 2026 09:16:19 +0200
Subject: [PATCH 3/4] chore: pin actions to SHA in
 .github/workflows/airflow-customized-container.yaml

---
 .github/workflows/airflow-customized-container.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/airflow-customized-container.yaml b/.github/workflows/airflow-customized-container.yaml
index 422b2008..bd6f269a 100644
--- a/.github/workflows/airflow-customized-container.yaml
+++ b/.github/workflows/airflow-customized-container.yaml
@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-latest
     # This image is based on ubuntu:20.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - uses: ./.github/workflows/publish
         name: Create airflow-customized container
         with:
@@ -36,7 +36,7 @@ jobs:
     runs-on: ubuntu-latest
     # This image is based on ubuntu:20.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - uses: ./.github/workflows/publish
         name: Create and publish airflow-customized container
         with:

From 82da1e776ce4e8c5ebdc88f4679606967b506398 Mon Sep 17 00:00:00 2001
From: slawomirbabicz <111378977+slawomirbabicz@users.noreply.github.com>
Date: Fri, 10 Apr 2026 09:16:22 +0200
Subject: [PATCH 4/4] chore: pin actions to SHA in
 .github/workflows/rollout-dashboard.yaml

---
 .github/workflows/rollout-dashboard.yaml | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/rollout-dashboard.yaml b/.github/workflows/rollout-dashboard.yaml
index 1fb0e07c..fba9dfe0 100644
--- a/.github/workflows/rollout-dashboard.yaml
+++ b/.github/workflows/rollout-dashboard.yaml
@@ -25,11 +25,11 @@ jobs:
       - name: Set month and year for cache key
         id: date
         run: echo "date=$(date +'%Y-%m')" >> "$GITHUB_OUTPUT"
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - name: Move backend files to source root
         run: mv -f rollout-dashboard/server/* .
       - name: Cache Cargo stuff once a month for faster execution
-        uses: actions/cache@v3
+        uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0
         with:
           key: cargo-build-deps-${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}-${{ steps.date.outputs.date }}
           path: |
@@ -41,11 +41,11 @@ jobs:
             target/debug/deps
             target/debug/.fingerprint
       - name: Set up Rust toolchain
-        uses: actions-rs/toolchain@v1
+        uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
         with:
           toolchain: stable
       - name: Security audit
-        uses: actions-rs/audit-check@v1
+        uses: actions-rs/audit-check@35b7b53b1e25b55642157ac01b4adceb5b9ebef3 # v1.2.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: cargo machete
@@ -54,11 +54,11 @@ jobs:
           which cargo-machete || cargo install cargo-machete
           cargo machete
       - name: cargo clippy
-        uses: actions-rs/cargo@v1
+        uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
         with:
           command: clippy
       - name: cargo test
-        uses: actions-rs/cargo@v1
+        uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
         with:
           command: test
       - name: cargo doc
@@ -70,9 +70,9 @@ jobs:
     name: Test rollout dashboard frontend
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: "20.x"
       - name: Move frontend files to source root
@@ -91,7 +91,7 @@ jobs:
     needs: [test-backend, test-frontend]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - uses: ./.github/workflows/publish
         name: Create rollout-dashboard container
         with:
@@ -103,7 +103,7 @@ jobs:
     if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - uses: ./.github/workflows/publish
         name: Create and publish rollout-dashboard container
         with: