From 459671129648dc895739cf6b85b9837f15dc90a0 Mon Sep 17 00:00:00 2001
From: Patrick Kaeding <pkaeding@launchdarkly.com>
Date: Mon, 23 Mar 2026 21:46:37 -0400
Subject: [PATCH 1/3] [SEC-7924] chore: pin third-party GitHub Actions to
 commit SHAs

Pin all third-party GitHub Actions to full-length commit SHAs to prevent
supply chain attacks. Addresses findings from the
third-party-action-not-pinned-to-commit-sha Semgrep rule.
---
 .github/actions/setup/action.yml     | 2 +-
 .github/workflows/release-please.yml | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
index eca1f4ae..ddc6b236 100644
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -12,7 +12,7 @@ inputs:
 runs:
   using: composite
   steps:
-    - uses: ruby/setup-ruby@v1
+    - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
       with:
         ruby-version: ${{ inputs.version }}
         bundler: 2
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index d22e462e..00c97853 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -18,7 +18,7 @@ jobs:
       upload-tag-name: ${{ steps.release.outputs.tag_name }}
 
     steps:
-      - uses: googleapis/release-please-action@v4
+      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4
         id: release
 
   build-ruby-gem:
@@ -81,7 +81,7 @@ jobs:
       id-token: write
       contents: write
 
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@5a775b367a56d5bd118a224a811bba288150a563 # v2.0.0
     with:
       base64-subjects: "${{ needs.publish.outputs.gem-hash }}"
       upload-assets: true

From ab342879644b828415319038d0f9c332df1dad3e Mon Sep 17 00:00:00 2001
From: Patrick Kaeding <pkaeding@launchdarkly.com>
Date: Tue, 24 Mar 2026 10:11:55 -0400
Subject: [PATCH 2/3] Apply suggestion from @pkaeding

---
 .github/workflows/release-please.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 00c97853..27a3bc2f 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -81,7 +81,7 @@ jobs:
       id-token: write
       contents: write
 
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@5a775b367a56d5bd118a224a811bba288150a563 # v2.0.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
     with:
       base64-subjects: "${{ needs.publish.outputs.gem-hash }}"
       upload-assets: true

From 7f70e346219e05f0add5a6e2db0245816d32537b Mon Sep 17 00:00:00 2001
From: "Matthew M. Keeler" <mkeeler@launchdarkly.com>
Date: Tue, 24 Mar 2026 14:47:13 -0400
Subject: [PATCH 3/3] Apply suggestions from code review

Co-authored-by: Matthew M. Keeler <keelerm84@gmail.com>
---
 .github/actions/setup/action.yml     | 2 +-
 .github/workflows/release-please.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
index ddc6b236..97396bba 100644
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -12,7 +12,7 @@ inputs:
 runs:
   using: composite
   steps:
-    - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
+    - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1.295.0
       with:
         ruby-version: ${{ inputs.version }}
         bundler: 2
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 27a3bc2f..b837f0a4 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -18,7 +18,7 @@ jobs:
       upload-tag-name: ${{ steps.release.outputs.tag_name }}
 
     steps:
-      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4
+      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
         id: release
 
   build-ruby-gem: