From 8fb6c12ed1ffb6f1d7c38b4333aad417c82fc4f7 Mon Sep 17 00:00:00 2001
From: Jess Lowe <jesslowe@google.com>
Date: Mon, 25 May 2026 03:55:31 +0000
Subject: [PATCH] Pin OSV Go Dependencies

---
 .github/workflows/auto_import.yaml | 2 +-
 .github/workflows/automation.yaml  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/auto_import.yaml b/.github/workflows/auto_import.yaml
index 0be48ec7..eeceb205 100644
--- a/.github/workflows/auto_import.yaml
+++ b/.github/workflows/auto_import.yaml
@@ -21,7 +21,7 @@ jobs:
           wget https://storage.googleapis.com/cve-osv-conversion/nvd/nvdcve-2.0-$year.json;
         done
     - run: |
-        go install github.com/google/osv/vulnfeeds/cmd/pypi@master
+        go install github.com/google/osv/external/cmd/pypi@v0.0.0-20260525013352-508446a947cf
         for nvdfile in nvdcve-2.0-*.json; do
           pypi -false_positives triage/false_positives.yaml \
                -nvd_json $nvdfile \
diff --git a/.github/workflows/automation.yaml b/.github/workflows/automation.yaml
index 31b3fcb0..286f80cb 100644
--- a/.github/workflows/automation.yaml
+++ b/.github/workflows/automation.yaml
@@ -37,7 +37,7 @@ jobs:
       with:
         go-version: '^1.16.4'
     - run: |
-        go install github.com/google/osv/vulnfeeds/cmd/ids@latest
+        go install github.com/google/osv/external/cmd/ids@v0.0.0-20260525013352-508446a947cf
         ids -dir=./vulns -prefix PYSEC
         git config user.name github-actions
         git config user.email github-actions@github.com