From 94e0dff637b1de7fd51655927f5ff3c3b6119727 Mon Sep 17 00:00:00 2001
From: Takuma IMAMURA <209989118+hyperfinitism@users.noreply.github.com>
Date: Tue, 31 Mar 2026 21:14:40 +0900
Subject: [PATCH] ci: pin workflow actions to specific commit SHAs

Signed-off-by: Takuma IMAMURA <209989118+hyperfinitism@users.noreply.github.com>
---
 .github/workflows/ruff.yml | 4 ++--
 .github/workflows/spdx.yml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ruff.yml b/.github/workflows/ruff.yml
index 1ff009b..aaf1082 100644
--- a/.github/workflows/ruff.yml
+++ b/.github/workflows/ruff.yml
@@ -24,8 +24,8 @@ jobs:
   ruff:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-python@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.14"
           cache: "pip"
diff --git a/.github/workflows/spdx.yml b/.github/workflows/spdx.yml
index bc5a30e..16a862f 100644
--- a/.github/workflows/spdx.yml
+++ b/.github/workflows/spdx.yml
@@ -25,7 +25,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: checkout
-        uses: actions/checkout@v6
-      - uses: enarx/spdx@d4020ee98e3101dd487c5184f27c6a6fb4f88709 # master
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: enarx/spdx@d4020ee98e3101dd487c5184f27c6a6fb4f88709
         with:
           licenses: MIT