From 610958d0ec9f3387e9f73d4a2b86163f648c3564 Mon Sep 17 00:00:00 2001
From: "renovate-sh-app[bot]"
 <219655108+renovate-sh-app[bot]@users.noreply.github.com>
Date: Fri, 29 May 2026 17:01:03 +0000
Subject: [PATCH] chore(deps): pin dependencies

Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
---
 .github/workflows/org-required-trufflehog.yml | 2 +-
 .github/workflows/semgrep.yaml                | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/org-required-trufflehog.yml b/.github/workflows/org-required-trufflehog.yml
index 5d35841f..da960333 100644
--- a/.github/workflows/org-required-trufflehog.yml
+++ b/.github/workflows/org-required-trufflehog.yml
@@ -21,7 +21,7 @@ permissions:
 jobs:
   secret-scan:
     name: TruffleHog Secret Scan
-    uses: grafana/security-github-actions/.github/workflows/reusable-trufflehog.yml@main
+    uses: grafana/security-github-actions/.github/workflows/reusable-trufflehog.yml@796b732982506cdbe7c80de335bde851c42fbf55 # main
     with:
       # Non-blocking: job succeeds; PR still gets comments/artifacts when findings exist
       fail-on-verified: "false"      # Set "true" to fail on verified secrets
diff --git a/.github/workflows/semgrep.yaml b/.github/workflows/semgrep.yaml
index 8c8de895..87926cf0 100644
--- a/.github/workflows/semgrep.yaml
+++ b/.github/workflows/semgrep.yaml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     container:
       # A Docker image with Semgrep installed. Do not change this.
-      image: semgrep/semgrep:1.152.0
+      image: semgrep/semgrep:1.152.0@sha256:e04d2cb132288d90035db8791d64f610cb255b21e727b94db046243b30c01ae9
     steps:
       # Fetch project source with GitHub Actions Checkout.
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2