From 6203b2426a929d63123a8992be7fd606d4259004 Mon Sep 17 00:00:00 2001
From: Lucas Falslev <lfalslev@specterops.io>
Date: Tue, 14 Apr 2026 09:05:40 -0600
Subject: [PATCH 1/3] update actions

---
 .github/workflows/publish.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 0e01bef..2dbd487 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -23,7 +23,7 @@ jobs:
     name: Build (${{ matrix.release.type }})
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v6
 
       - name: Setup .NET
         uses: actions/setup-dotnet@v5
@@ -46,7 +46,7 @@ jobs:
           sha256sum SharpHound_${{ github.ref_name }}${{ matrix.release.suffix }}_windows_x86.zip > SharpHound_${{ github.ref_name }}${{ matrix.release.suffix }}_windows_x86.zip.sha256
 
       - name: Upload to Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
           files: |
             SharpHound_${{ github.ref_name }}${{ matrix.release.suffix }}_windows_x86.zip

From 1159cf7ced753cefd6db7da8421b285890fee9c0 Mon Sep 17 00:00:00 2001
From: Lucas Falslev <lfalslev@specterops.io>
Date: Tue, 14 Apr 2026 09:06:10 -0600
Subject: [PATCH 2/3] pin actions

---
 .github/workflows/build.yml   |  10 ++--
 .github/workflows/cla.yml     |   2 +-
 .github/workflows/publish.yml | 106 +++++++++++++++++-----------------
 3 files changed, 59 insertions(+), 59 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 3d5eaf4..5f71190 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -2,7 +2,7 @@ name: Build
 
 on:
   pull_request:
-    branches: [ 2.X ]
+    branches: [2.X]
 
 jobs:
   build:
@@ -10,12 +10,12 @@ jobs:
 
     steps:
       - name: Setup .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # ratchet:actions/setup-dotnet@v5
         with:
           dotnet-version: 10.0.x
 
       - name: Checkout repository
-        uses: actions/checkout@v6
-        
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
+
       - name: Build
-        run: dotnet build -p:CommonSource=Dev
\ No newline at end of file
+        run: dotnet build -p:CommonSource=Dev
diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml
index 2c49216..583272a 100644
--- a/.github/workflows/cla.yml
+++ b/.github/workflows/cla.yml
@@ -41,7 +41,7 @@ jobs:
 
       - name: "CLA Assistant"
         if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
-        uses: contributor-assistant/github-action@v2.6.1
+        uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # ratchet:contributor-assistant/github-action@v2.6.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PERSONAL_ACCESS_TOKEN: ${{ secrets.REPO_SCOPE }}
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 2dbd487..5e0e104 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -1,53 +1,53 @@
-name: Publish
-
-on:
-  push: 
-    tags:
-      - v[0-9]+.[0-9]+.[0-9]+*
-
-jobs:
-  build:
-    runs-on: windows-latest
-    defaults:
-      run:
-        shell: bash
-
-    strategy:
-      matrix:
-        release:
-          - type: Debug
-            suffix: '+debug'
-          - type: Release
-            suffix: ''
-
-    name: Build (${{ matrix.release.type }})
-
-    steps:
-      - uses: actions/checkout@v6
-
-      - name: Setup .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: 10.0.x
-
-      - name: Restore Dependencies
-        run: dotnet restore
-
-      - name: Build
-        run: |
-          VERSION=${{ github.ref_name }}
-          dotnet build -c ${{ matrix.release.type }} -p:Version=${VERSION:1} -p:CommonLibSource=Release
-
-      - name: Zip
-        run: 7z a -tzip -mx9 SharpHound_${{ github.ref_name }}${{ matrix.release.suffix }}_windows_x86.zip $PWD/bin/${{ matrix.release.type }}/net472/*
-
-      - name: Checksum zip files
-        run: |
-          sha256sum SharpHound_${{ github.ref_name }}${{ matrix.release.suffix }}_windows_x86.zip > SharpHound_${{ github.ref_name }}${{ matrix.release.suffix }}_windows_x86.zip.sha256
-
-      - name: Upload to Release
-        uses: softprops/action-gh-release@v2
-        with:
-          files: |
-            SharpHound_${{ github.ref_name }}${{ matrix.release.suffix }}_windows_x86.zip
-            SharpHound_${{ github.ref_name }}${{ matrix.release.suffix }}_windows_x86.zip.sha256
+name: Publish
+
+on:
+  push:
+    tags:
+      - v[0-9]+.[0-9]+.[0-9]+*
+
+jobs:
+  build:
+    runs-on: windows-latest
+    defaults:
+      run:
+        shell: bash
+
+    strategy:
+      matrix:
+        release:
+          - type: Debug
+            suffix: '+debug'
+          - type: Release
+            suffix: ''
+
+    name: Build (${{ matrix.release.type }})
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # ratchet:actions/setup-dotnet@v5
+        with:
+          dotnet-version: 10.0.x
+
+      - name: Restore Dependencies
+        run: dotnet restore
+
+      - name: Build
+        run: |
+          VERSION=${{ github.ref_name }}
+          dotnet build -c ${{ matrix.release.type }} -p:Version=${VERSION:1} -p:CommonLibSource=Release
+
+      - name: Zip
+        run: 7z a -tzip -mx9 SharpHound_${{ github.ref_name }}${{ matrix.release.suffix }}_windows_x86.zip $PWD/bin/${{ matrix.release.type }}/net472/*
+
+      - name: Checksum zip files
+        run: |
+          sha256sum SharpHound_${{ github.ref_name }}${{ matrix.release.suffix }}_windows_x86.zip > SharpHound_${{ github.ref_name }}${{ matrix.release.suffix }}_windows_x86.zip.sha256
+
+      - name: Upload to Release
+        uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # ratchet:softprops/action-gh-release@v2
+        with:
+          files: |
+            SharpHound_${{ github.ref_name }}${{ matrix.release.suffix }}_windows_x86.zip
+            SharpHound_${{ github.ref_name }}${{ matrix.release.suffix }}_windows_x86.zip.sha256

From dc53d834dfa6293590daf3f42ff13f37d36193ad Mon Sep 17 00:00:00 2001
From: Lucas Falslev <lfalslev@specterops.io>
Date: Tue, 14 Apr 2026 10:45:28 -0600
Subject: [PATCH 3/3] update action-gh-release to v3

---
 .github/workflows/publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 5e0e104..a8c9e2b 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -46,7 +46,7 @@ jobs:
           sha256sum SharpHound_${{ github.ref_name }}${{ matrix.release.suffix }}_windows_x86.zip > SharpHound_${{ github.ref_name }}${{ matrix.release.suffix }}_windows_x86.zip.sha256
 
       - name: Upload to Release
-        uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # ratchet:softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # ratchet:softprops/action-gh-release@v3
         with:
           files: |
             SharpHound_${{ github.ref_name }}${{ matrix.release.suffix }}_windows_x86.zip