From fd1641061334a156f3a8249eeab23f0464fed539 Mon Sep 17 00:00:00 2001
From: Max Rydahl Andersen <max@xam.dk>
Date: Tue, 19 May 2026 18:06:37 +0200
Subject: [PATCH] ci: pin GitHub Actions to full-length commit SHAs

Pin all action references to full-length commit SHAs for supply chain
security. This is required for the org-level policy:
'Require actions to be pinned to a full-length commit SHA'.

Original version tags are preserved as comments for readability.
Existing SHA pins are left unchanged.
---
 .github/workflows/ci.yml      |  4 ++--
 .github/workflows/release.yml | 10 +++++-----
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 59db255..a5c24ab 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -19,10 +19,10 @@ jobs:
   build:
     runs-on: 'ubuntu-latest'
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
     - name: Set up JDK 21
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         java-version: '21'
         distribution: 'temurin'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c3f092e..b9ccadb 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -16,12 +16,12 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
 
       - name: Set up JDK 21
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           java-version: '21'
           distribution: 'temurin'
@@ -37,7 +37,7 @@ jobs:
         run: cp build/libs/jdkdb-scraper-${{ github.event.inputs.version }}-standalone.jar build/libs/jdkdb-scraper-standalone.jar
 
       - name: Commit & Push changes
-        uses: stefanzweifel/git-auto-commit-action@v7
+        uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7
         with:
           commit_message: "ci: Releasing version ${{ github.event.inputs.version }}"
 
@@ -49,7 +49,7 @@ jobs:
           git push origin "v${{ github.event.inputs.version }}"
 
       - name: Publish release
-        uses: softprops/action-gh-release@v3
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
         with:
           tag_name: v${{ github.event.inputs.version }}
           name: Release v${{ github.event.inputs.version }}
@@ -62,6 +62,6 @@ jobs:
         run: echo "version=${{ github.event.inputs.version }}.1-SNAPSHOT" > gradle.properties
 
       - name: Commit & Push changes
-        uses: stefanzweifel/git-auto-commit-action@v7
+        uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7
         with:
           commit_message: "ci: Prepare for next development iteration"
\ No newline at end of file