From 158c318d57653f975115d4cccf85d4ca49c652d6 Mon Sep 17 00:00:00 2001
From: Satya Kwok <119509589+satyakwok@users.noreply.github.com>
Date: Tue, 12 May 2026 05:20:10 +0200
Subject: [PATCH] ci: pin third-party GitHub Actions to commit SHAs

Replaces tag refs (`@v3`, `@v2`) with full commit SHAs. Comments preserve
the original tag for human readability and so dependabot can still propose
upgrades.

SHAs verified via GitHub commits API at the time of this commit.
---
 .github/workflows/ci.yml     | 16 ++++++++--------
 .github/workflows/codeql.yml |  4 ++--
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 59f5a4f..e046c3a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
         with:
           components: rustfmt
       - run: cargo fmt --all -- --check
@@ -27,14 +27,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
         with:
           components: clippy
           targets: wasm32-unknown-unknown
-      - uses: arduino/setup-protoc@v3
+      - uses: arduino/setup-protoc@c65c819552d16ad3c9b72d9dfd5ba5237b9c906b # v3
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
       # Lint both targets — the WASM lib has different cfg-gates than
       # the SSR bin, so a single pass would skip half the code.
       - name: clippy (wasm/hydrate)
@@ -47,19 +47,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
         with:
           targets: wasm32-unknown-unknown
-      - uses: arduino/setup-protoc@v3
+      - uses: arduino/setup-protoc@c65c819552d16ad3c9b72d9dfd5ba5237b9c906b # v3
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
       - name: install cargo-leptos
         # No version pin — leaves us tracking latest, which matters
         # because cargo-leptos bundles a wasm-bindgen-cli; if the
         # bundled version trails our Cargo's transitive `wasm-bindgen`,
         # the build fails with a schema-version mismatch (#1).
-        uses: taiki-e/install-action@v2
+        uses: taiki-e/install-action@c070f87102a1c75b3183910f391c1cb887fe13c8 # v2
         with:
           tool: cargo-leptos
       - name: install tailwindcss
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 12e14ed..1cba0f7 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -23,9 +23,9 @@ jobs:
         language: ['javascript-typescript']
     steps:
       - uses: actions/checkout@v5
-      - uses: github/codeql-action/init@v3
+      - uses: github/codeql-action/init@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3
         with:
           languages: ${{ matrix.language }}
-      - uses: github/codeql-action/analyze@v3
+      - uses: github/codeql-action/analyze@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3
         with:
           category: '/language:${{ matrix.language }}'