From 51858808cff3e177577e9d3267cebe04d12c679e Mon Sep 17 00:00:00 2001
From: Codacy Security Bot <security-bot@codacy.com>
Date: Tue, 24 Mar 2026 17:20:10 +0000
Subject: [PATCH] Security: pin GitHub Actions to SHA hashes

Replaces mutable tag/branch references with immutable SHA hashes
to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026).

Actions left as tags: 0
---
 .github/workflows/ci.yml      | 4 ++--
 .github/workflows/publish.yml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3131f90..96d2643 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -15,10 +15,10 @@ jobs:
         node-version: [18, 20, 22]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: ${{ matrix.node-version }}
           cache: npm
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 2c87bb3..57106c7 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -13,10 +13,10 @@ jobs:
       id-token: write
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Use Node.js 22
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 22
           registry-url: https://registry.npmjs.org