From d32d8450cc61e83399d420db41b726e382062f14 Mon Sep 17 00:00:00 2001
From: Joshua Li <joshuarli98@gmail.com>
Date: Mon, 23 Mar 2026 23:46:12 -0700
Subject: [PATCH] chore: pin GitHub Actions to full-length commit SHAs

---
 .github/workflows/check-retrace-spec.yml         |  2 +-
 .github/workflows/ci.yml                         | 16 ++++++++--------
 .github/workflows/enforce-license-compliance.yml |  2 +-
 .github/workflows/release.yml                    |  4 ++--
 .github/workflows/weekly.yml                     |  2 +-
 5 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/check-retrace-spec.yml b/.github/workflows/check-retrace-spec.yml
index b1255d1..a1bdcad 100644
--- a/.github/workflows/check-retrace-spec.yml
+++ b/.github/workflows/check-retrace-spec.yml
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Check for newer retrace spec
         run: ./scripts/check-retrace-spec.sh
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 41e8c25..2177599 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -16,10 +16,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - run: rustup toolchain install stable --profile minimal --component rustfmt --component clippy --no-self-update
-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2
 
       - run: cargo fmt --all -- --check
       - run: cargo clippy --all-features --workspace --tests --examples -- -D clippy::all
@@ -35,10 +35,10 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - run: rustup toolchain install stable --profile minimal --no-self-update
-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2
 
       - run: cargo test --workspace --all-features --all-targets
       - run: cargo test --workspace --all-features --doc
@@ -48,14 +48,14 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - run: rustup toolchain install stable --profile minimal --component llvm-tools-preview --no-self-update
-      - uses: Swatinem/rust-cache@v2
-      - uses: taiki-e/install-action@cargo-llvm-cov
+      - uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2
+      - uses: taiki-e/install-action@21eb0b6228fa6252dafdd9c82e7516ad2328c775 # cargo-llvm-cov
 
       - run: cargo llvm-cov --all-features --workspace --lcov --output-path lcov.info
 
-      - uses: codecov/codecov-action@v3
+      - uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3
         with:
           files: lcov.info
diff --git a/.github/workflows/enforce-license-compliance.yml b/.github/workflows/enforce-license-compliance.yml
index 0f03db2..6b25d47 100644
--- a/.github/workflows/enforce-license-compliance.yml
+++ b/.github/workflows/enforce-license-compliance.yml
@@ -11,6 +11,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: "Enforce License Compliance"
-        uses: getsentry/action-enforce-license-compliance@main
+        uses: getsentry/action-enforce-license-compliance@48236a773346cb6552a7bda1ee370d2797365d87 # main
         with:
           fossa_api_key: ${{ secrets.FOSSA_API_KEY }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d5d78f5..00fee6e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -22,13 +22,13 @@ jobs:
         with:
           app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
           private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           # Fetch all commits so we can determine previous version
           fetch-depth: 0
           token: ${{ steps.token.outputs.token }}
       - name: Prepare release
-        uses: getsentry/action-prepare-release@v1
+        uses: getsentry/action-prepare-release@c8e1c2009ab08259029170132c384f03c1064c0e # v1
         env:
           GITHUB_TOKEN: ${{ steps.token.outputs.token }}
         with:
diff --git a/.github/workflows/weekly.yml b/.github/workflows/weekly.yml
index f4eeda1..6a29029 100644
--- a/.github/workflows/weekly.yml
+++ b/.github/workflows/weekly.yml
@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - run: |
           rustup toolchain install ${{ matrix.rust }} --profile minimal --component clippy --no-self-update