From a41151e5b34f391370deefe8428470c74d52d4e5 Mon Sep 17 00:00:00 2001
From: Matt Davidson <matt.davidson@workos.com>
Date: Thu, 7 May 2026 13:38:14 -0700
Subject: [PATCH] chore: pin all GitHub Action versions to SHAs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Pins every action across the 4 workflow files to a commit SHA with
a version comment, matching the pattern used in other public WorkOS
repos (workos-node, authkit-nextjs, etc.). Same supply-chain hygiene:
floating tags can be moved to point at compromised commits, SHAs can't.

Versions are kept current:
- actions/checkout       v4 → v6
- actions/setup-node     v4 → v6
- amannn/action-semantic-pull-request   v6 → v6.1.1
- github/codeql-action/{init,analyze}   v3 → v3.35.3
- actions/dependency-review-action      v4 → v4.9.0
---
 .github/workflows/ci.yml                | 4 ++--
 .github/workflows/codeql.yml            | 6 +++---
 .github/workflows/dependency-review.yml | 4 ++--
 .github/workflows/lint-pr-title.yml     | 2 +-
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1fa3769..e0fa957 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,9 +13,9 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: 24
           cache: npm
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 0a54434..be8e338 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -23,13 +23,13 @@ jobs:
         language: [javascript-typescript]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
-      - uses: github/codeql-action/init@v3
+      - uses: github/codeql-action/init@0daab03d71ff584ef619d027a3fd9146679c5d84 # v3.35.3
         with:
           languages: ${{ matrix.language }}
           queries: security-and-quality
 
-      - uses: github/codeql-action/analyze@v3
+      - uses: github/codeql-action/analyze@0daab03d71ff584ef619d027a3fd9146679c5d84 # v3.35.3
         with:
           category: '/language:${{ matrix.language }}'
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index edf0ebb..42ca517 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -12,9 +12,9 @@ jobs:
   review:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
-      - uses: actions/dependency-review-action@v4
+      - uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
         with:
           fail-on-severity: high
           comment-summary-in-pr: on-failure
diff --git a/.github/workflows/lint-pr-title.yml b/.github/workflows/lint-pr-title.yml
index a10f104..116ad1e 100644
--- a/.github/workflows/lint-pr-title.yml
+++ b/.github/workflows/lint-pr-title.yml
@@ -11,6 +11,6 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@v6
+      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}