From 680991e2ae3e9f0ec533eadb94b8cc4b0b51c59b Mon Sep 17 00:00:00 2001
From: Erisu <erisu@apache.org>
Date: Wed, 20 May 2026 01:54:36 +0900
Subject: [PATCH] chore(workflow): pin sha & update actions

---
 .github/workflows/ci.yml            | 12 +++++++-----
 .github/workflows/release-audit.yml | 15 +++++++++------
 2 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b32b65c..bcc5647 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -44,10 +44,12 @@ jobs:
         os: [ubuntu-latest, macos-15]
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+          fetch-depth: 1
 
-      - name: Use Node.js ${{ matrix.node.version }}
-        uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: ${{ matrix.node.version }}
 
@@ -56,7 +58,7 @@ jobs:
           node --version
           npm --version
 
-      - uses: github/codeql-action/init@v4
+      - uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
         with:
           languages: javascript
           queries: security-and-quality
@@ -70,7 +72,7 @@ jobs:
         env:
           CI: true
 
-      - uses: github/codeql-action/analyze@v4
+      - uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
 
       # v4.6.0
       - uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238
diff --git a/.github/workflows/release-audit.yml b/.github/workflows/release-audit.yml
index 52798d4..ceddd08 100644
--- a/.github/workflows/release-audit.yml
+++ b/.github/workflows/release-audit.yml
@@ -34,13 +34,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # Checkout project
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+          fetch-depth: 1
 
-      # Check license headers (v2.0.0)
-      - uses: erisu/apache-rat-action@46fb01ce7d8f76bdcd7ab10e7af46e1ea95ca01c
+      # Check license headers (v3.0.0)
+      - uses: erisu/apache-rat-action@30c94d10ed21e6f6fd5590dc5c158f58cae7a0dd
 
       # Setup environment with node
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 24
 
@@ -48,8 +51,8 @@ jobs:
       - name: npm install packages
         run: npm ci
 
-      # Check node package licenses (v2.0.1)
-      - uses: erisu/license-checker-action@99cffa11264fe545fd0baa6c13bca5a00ae608f2
+      # Check node package licenses (v2.1.0)
+      - uses: erisu/license-checker-action@04511f4c052b5773f11e1c65b42cda88235c62ae
         with:
           license-config: 'licence_checker.yml'
           include-asf-category-a: true