From 3f1b5049671a590c9fca5b36fb5dedbe3ed294c5 Mon Sep 17 00:00:00 2001
From: Aaron Sachs <aaron@sachshaus.net>
Date: Sun, 3 May 2026 21:33:46 -0400
Subject: [PATCH] chore(ci): pin GitHub Actions to commit SHAs

Replaces moving tag references with full commit SHAs and trailing semver
comments. Defends against tag-repointing supply-chain attacks if a third-
party action maintainer is compromised.
---
 .github/workflows/claude.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
index 7710596..a077d1e 100644
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -26,12 +26,12 @@ jobs:
       actions: read
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
         with:
           fetch-depth: 1
 
       - name: Run Claude Code
         id: claude
-        uses: anthropics/claude-code-action@v1
+        uses: anthropics/claude-code-action@fefa07e9c665b7320f08c3b525980457f22f58aa  # v1.0.111
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}