From 1e0cd2e0a47167d62a28ff8089a48467999dc13b Mon Sep 17 00:00:00 2001
From: Patrick Kaeding <pkaeding@launchdarkly.com>
Date: Mon, 23 Mar 2026 13:45:03 -0400
Subject: [PATCH] [SEC-7924] chore: pin third-party GitHub Actions to commit
 SHAs

Pin all third-party GitHub Actions to full-length commit SHAs to prevent
supply chain attacks. Addresses findings from the
third-party-action-not-pinned-to-commit-sha Semgrep rule.
---
 .github/actions/ci/action.yml         | 6 +++---
 .github/workflows/install-lua-sdk.yml | 6 +++---
 .github/workflows/release-please.yml  | 2 +-
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/actions/ci/action.yml b/.github/actions/ci/action.yml
index 814ece6..0e4511b 100644
--- a/.github/actions/ci/action.yml
+++ b/.github/actions/ci/action.yml
@@ -22,16 +22,16 @@ runs:
       id: cpp-versions
       uses: ./.github/actions/cpp-versions
     - name: Install Lua
-      uses: luarocks/gh-actions-lua@c1e8c4a5fa64ac5f6467ea35d8b59fb5a167232e
+      uses: luarocks/gh-actions-lua@c1e8c4a5fa64ac5f6467ea35d8b59fb5a167232e # c1e8c4a5fa64ac5f6467ea35d8b59fb5a167232e
       with:
         luaVersion: ${{ inputs.lua-version }}
     - name: Install LuaRocks
-      uses: luarocks/gh-actions-luarocks@8acd6db166a0162c375fa8647a0350fbec46940e
+      uses: luarocks/gh-actions-luarocks@8acd6db166a0162c375fa8647a0350fbec46940e # 8acd6db166a0162c375fa8647a0350fbec46940e
       with:
         luarocksVersion: "3.12.0"
     - name: Install Boost
       id: install-boost
-      uses: MarkusJx/install-boost@v2.4.4
+      uses: MarkusJx/install-boost@3039450bb3dd2e8630d1cf10ec39cb1da3054bbd # v2.4.4
       with:
         boost_version: 1.81.0
         platform_version: "22.04"
diff --git a/.github/workflows/install-lua-sdk.yml b/.github/workflows/install-lua-sdk.yml
index 2f6ba4d..6680146 100644
--- a/.github/workflows/install-lua-sdk.yml
+++ b/.github/workflows/install-lua-sdk.yml
@@ -55,18 +55,18 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Install Lua
-        uses: leafo/gh-actions-lua@35bcb06abec04ec87df82e08caa84d545348536e
+        uses: leafo/gh-actions-lua@35bcb06abec04ec87df82e08caa84d545348536e # 35bcb06abec04ec87df82e08caa84d545348536e
         with:
           luaVersion: ${{ env.LUA_VERSION }}
 
       - name: Install LuaRocks
-        uses: leafo/gh-actions-luarocks@e65774a6386cb4f24e293dca7fc4ff89165b64c5
+        uses: leafo/gh-actions-luarocks@e65774a6386cb4f24e293dca7fc4ff89165b64c5 # e65774a6386cb4f24e293dca7fc4ff89165b64c5
         with:
           luarocksVersion: "3.12.0"
 
       - name: Install Boost
         id: install-boost
-        uses: MarkusJx/install-boost@v2.4.4
+        uses: MarkusJx/install-boost@3039450bb3dd2e8630d1cf10ec39cb1da3054bbd # v2.4.4
         with:
           boost_version: 1.81.0
           platform_version: "22.04"
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 227bc61..815da43 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -18,7 +18,7 @@ jobs:
       prs_created: ${{ steps.release.outputs.prs_created }}
       pr_branch_name: ${{ steps.release.outputs.prs_created == 'true' && fromJSON(steps.release.outputs.pr).headBranchName || '' }}
     steps:
-      - uses: google-github-actions/release-please-action@v4
+      - uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee # v4
         id: release
         with:
           token: ${{ secrets.GITHUB_TOKEN }}