From 80a097752754efb217028aacf0b548288a509f9b Mon Sep 17 00:00:00 2001
From: Renato Valenzuela <valerena@amazon.com>
Date: Thu, 16 Apr 2026 18:27:57 +0000
Subject: [PATCH] chore(action): pin AWS actions to commit SHAs

- `aws-actions/stale-issue-cleanup@v6` to `@7de35968489e4142233d2a6812519a82e68b5c38 # v6`
- `aws-actions/closed-issue-message@v2` to `@10aaf6366131b673a7c8b7742f8b3849f1d44f18 # v2`
- `aws-actions/configure-aws-credentials@v6` to `@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6`
---
 .github/workflows/close-stale-issues.yml   | 2 +-
 .github/workflows/closed-issue-message.yml | 2 +-
 .github/workflows/integration-tests.yml    | 6 +++---
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/close-stale-issues.yml b/.github/workflows/close-stale-issues.yml
index 757155f8697..1b4fc56fb8d 100644
--- a/.github/workflows/close-stale-issues.yml
+++ b/.github/workflows/close-stale-issues.yml
@@ -14,7 +14,7 @@ jobs:
     permissions:
       issues: write
     steps:
-    - uses: aws-actions/stale-issue-cleanup@v6
+    - uses: aws-actions/stale-issue-cleanup@7de35968489e4142233d2a6812519a82e68b5c38 # v6
       with:
         issue-types: issues
       
diff --git a/.github/workflows/closed-issue-message.yml b/.github/workflows/closed-issue-message.yml
index c950693cebf..520adbebc47 100644
--- a/.github/workflows/closed-issue-message.yml
+++ b/.github/workflows/closed-issue-message.yml
@@ -9,7 +9,7 @@ jobs:
     permissions:
       issues: write
     steps:
-      - uses: aws-actions/closed-issue-message@v2
+      - uses: aws-actions/closed-issue-message@10aaf6366131b673a7c8b7742f8b3849f1d44f18 # v2
         with:
           # These inputs are both required
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
index 68c4c5926eb..651e319b7a7 100644
--- a/.github/workflows/integration-tests.yml
+++ b/.github/workflows/integration-tests.yml
@@ -243,7 +243,7 @@ jobs:
           echo "SAM_CLI_DEV=" >> $GITHUB_ENV
 
       - name: Configure AWS credentials via OIDC
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6
         with:
           role-to-assume: ${{ secrets.OIDC_ROLE_ARN }}
           aws-region: us-east-1
@@ -451,14 +451,14 @@ jobs:
 
       - name: Re-authenticate with OIDC for cleanup
         if: always() && env.SCRIPT_PY != ''
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6
         with:
           role-to-assume: ${{ secrets.OIDC_ROLE_ARN }}
           aws-region: us-east-1
 
       - name: Assume test reporting role
         if: always() && env.SCRIPT_PY != ''
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6
         with:
           role-to-assume: ${{ secrets.TESTREPORTING_ARN }}
           aws-region: us-east-1