From 00190ca8c80206942ba625d036a9fa21dd443fce Mon Sep 17 00:00:00 2001
From: rocelito <rocelito.abano@intuitionmachines.com>
Date: Thu, 10 Apr 2025 10:11:15 +0800
Subject: [PATCH 1/2] issue-4160: Lock Actions

---
 .github/workflows/ci.yml                       | 8 ++++----
 .github/workflows/e2e-external-phase-1.yml     | 2 +-
 .github/workflows/e2e-external-phase-2.yml     | 6 +++---
 .github/workflows/manual-release.yml           | 2 +-
 .github/workflows/release.yml                  | 2 +-
 tests/end_to_end/repo/.github/workflows/ci.yml | 4 ++--
 6 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9bd678a8..fd0cf194 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -17,15 +17,15 @@ jobs:
       contents: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v5
+        uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182 # v5.4.1
         with:
           python-version: "3.12"
 
       - name: Poetry caches
-        uses: actions/cache@v4
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: |
             ~/.cache/
@@ -50,7 +50,7 @@ jobs:
           ANNOTATE_MISSING_LINES: true
 
       - name: Store Pull Request comment to be posted
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: steps.coverage_comment.outputs.COMMENT_FILE_WRITTEN == 'true'
         with:
           name: python-coverage-comment-action
diff --git a/.github/workflows/e2e-external-phase-1.yml b/.github/workflows/e2e-external-phase-1.yml
index 2f21681e..0e0f6020 100644
--- a/.github/workflows/e2e-external-phase-1.yml
+++ b/.github/workflows/e2e-external-phase-1.yml
@@ -20,7 +20,7 @@ jobs:
         env:
           PR_NUMBER: ${{ github.event.pull_request.number }}
       - name: Save artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: pr_number
           path: pr_number.txt
diff --git a/.github/workflows/e2e-external-phase-2.yml b/.github/workflows/e2e-external-phase-2.yml
index 9f73a38e..87da91b1 100644
--- a/.github/workflows/e2e-external-phase-2.yml
+++ b/.github/workflows/e2e-external-phase-2.yml
@@ -82,19 +82,19 @@ jobs:
           JOB_ID: ${{ steps.extract_job_id.outputs.JOB_ID }}
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           # Important: use the commit that was reviewed. GitHub is making sure
           # that this is race-condition-proof
           ref: ${{ steps.extract_commit.outputs.COMMIT_ID }}
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v5
+        uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182 # v5.4.1
         with:
           python-version: "3.12"
 
       - name: Poetry caches
-        uses: actions/cache@v4
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: |
             ~/.cache/
diff --git a/.github/workflows/manual-release.yml b/.github/workflows/manual-release.yml
index 727afe8e..2b7c005e 100644
--- a/.github/workflows/manual-release.yml
+++ b/.github/workflows/manual-release.yml
@@ -14,7 +14,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           fetch-tags: true
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1a5cd8f4..8a321912 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -53,7 +53,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           fetch-tags: true
diff --git a/tests/end_to_end/repo/.github/workflows/ci.yml b/tests/end_to_end/repo/.github/workflows/ci.yml
index b07325ab..86868ba1 100644
--- a/tests/end_to_end/repo/.github/workflows/ci.yml
+++ b/tests/end_to_end/repo/.github/workflows/ci.yml
@@ -17,7 +17,7 @@ jobs:
       pull-requests: write
       contents: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - uses: actions/setup-python@v5
         with:
@@ -40,7 +40,7 @@ jobs:
           SUBPROJECT_ID: __ACTION_SUBPROJECT_ID__
 
       - name: Store Pull Request comment to be posted
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: steps.coverage_comment.outputs.COMMENT_FILE_WRITTEN == 'true'
         with:
           name: python-coverage-comment-action

From 235298733381e8d961f651aa4203294c00b8d1a8 Mon Sep 17 00:00:00 2001
From: rocelito <rocelito.abano@intuitionmachines.com>
Date: Wed, 16 Apr 2025 21:03:32 +0800
Subject: [PATCH 2/2] lock actions

---
 .github/workflows/ci.yml               | 2 +-
 .github/workflows/coverage-comment.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fd0cf194..f0239b91 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -44,7 +44,7 @@ jobs:
 
       - name: Coverage comment
         id: coverage_comment
-        uses: py-cov-action/python-coverage-comment-action@main
+        uses: py-cov-action/python-coverage-comment-action@6a358b14250432019657300436a100839bc44861 # current main
         with:
           GITHUB_TOKEN: ${{ github.token }}
           ANNOTATE_MISSING_LINES: true
diff --git a/.github/workflows/coverage-comment.yml b/.github/workflows/coverage-comment.yml
index f424d647..2459f6cb 100644
--- a/.github/workflows/coverage-comment.yml
+++ b/.github/workflows/coverage-comment.yml
@@ -17,7 +17,7 @@ jobs:
       contents: write
     steps:
       - name: Post comment
-        uses: py-cov-action/python-coverage-comment-action@main
+        uses: py-cov-action/python-coverage-comment-action@6a358b14250432019657300436a100839bc44861 # current main
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITHUB_PR_RUN_ID: ${{ github.event.workflow_run.id }}