From 3c859a55908bb1c86750a1cb81d56722f17288bf Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 20 Nov 2025 18:15:09 +0000
Subject: [PATCH 1/2] chore(deps): update actions/checkout action to v6

---
 .github/workflows/build-linux-arm.yml | 2 +-
 .github/workflows/build-linux.yml     | 2 +-
 .github/workflows/build-macos.yaml    | 2 +-
 .github/workflows/cibuildwheel.yml    | 2 +-
 .github/workflows/pre-commit.yml      | 2 +-
 .github/workflows/skywalking-eyes.yml | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/build-linux-arm.yml b/.github/workflows/build-linux-arm.yml
index 3b2d3986..50349b1c 100644
--- a/.github/workflows/build-linux-arm.yml
+++ b/.github/workflows/build-linux-arm.yml
@@ -45,7 +45,7 @@ jobs:
             cc: clang-15
 
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Configure build
       working-directory: ${{ runner.temp }}
diff --git a/.github/workflows/build-linux.yml b/.github/workflows/build-linux.yml
index 620250cd..0a0eda17 100644
--- a/.github/workflows/build-linux.yml
+++ b/.github/workflows/build-linux.yml
@@ -49,7 +49,7 @@ jobs:
             ivf: ON
 
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
     - name: Install MKL
       timeout-minutes: 5
       run: |
diff --git a/.github/workflows/build-macos.yaml b/.github/workflows/build-macos.yaml
index 0303d943..4af0ae0e 100644
--- a/.github/workflows/build-macos.yaml
+++ b/.github/workflows/build-macos.yaml
@@ -44,7 +44,7 @@ jobs:
             needs_prefix: true
 
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Install Compiler
       run: |
diff --git a/.github/workflows/cibuildwheel.yml b/.github/workflows/cibuildwheel.yml
index 8e88ee5c..bf8c58a5 100644
--- a/.github/workflows/cibuildwheel.yml
+++ b/.github/workflows/cibuildwheel.yml
@@ -33,7 +33,7 @@ jobs:
     runs-on: ubuntu-22.04
 
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Build Container
       run: |
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index fbcf6462..6a186f15 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -21,7 +21,7 @@ jobs:
   pre-commit:
     runs-on: ubuntu-24.04
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
     - uses: actions/setup-python@v6
       with:
         python-version: '3.12'
diff --git a/.github/workflows/skywalking-eyes.yml b/.github/workflows/skywalking-eyes.yml
index 5bdfb74b..a6840610 100644
--- a/.github/workflows/skywalking-eyes.yml
+++ b/.github/workflows/skywalking-eyes.yml
@@ -34,7 +34,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
       - name: "Run check"
         uses: apache/skywalking-eyes/header@61275cc80d0798a405cb070f7d3a8aaf7cf2c2c1 # v0.8.0
         with:

From b9542af8e141d0dcda79bd871940ef6a070e2392 Mon Sep 17 00:00:00 2001
From: Copilot <198982749+Copilot@users.noreply.github.com>
Date: Thu, 20 Nov 2025 10:34:09 -0800
Subject: [PATCH 2/2] Use commit hashes for actions/checkout references (#229)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Updated all `actions/checkout` action references to use commit hashes
instead of version tags for improved security and reproducibility.

## Changes

- Replaced `actions/checkout@v6` with
`actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0` in:
  - `.github/workflows/cibuildwheel.yml`
  - `.github/workflows/build-linux-arm.yml`
  - `.github/workflows/build-linux.yml`
  - `.github/workflows/build-macos.yaml`
  - `.github/workflows/pre-commit.yml`

This aligns all workflow files with the existing pattern in
`.github/workflows/skywalking-eyes.yml` and prevents potential tag
hijacking attacks.

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for
you](https://github.com/intel/ScalableVectorSearch/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot)
— coding agent works faster and does higher quality work when set up for
your repo.

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: mihaic <165546+mihaic@users.noreply.github.com>
---
 .github/workflows/build-linux-arm.yml | 2 +-
 .github/workflows/build-linux.yml     | 2 +-
 .github/workflows/build-macos.yaml    | 2 +-
 .github/workflows/cibuildwheel.yml    | 2 +-
 .github/workflows/pre-commit.yml      | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/build-linux-arm.yml b/.github/workflows/build-linux-arm.yml
index 50349b1c..21ff6aeb 100644
--- a/.github/workflows/build-linux-arm.yml
+++ b/.github/workflows/build-linux-arm.yml
@@ -45,7 +45,7 @@ jobs:
             cc: clang-15
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
     - name: Configure build
       working-directory: ${{ runner.temp }}
diff --git a/.github/workflows/build-linux.yml b/.github/workflows/build-linux.yml
index 0a0eda17..ef982128 100644
--- a/.github/workflows/build-linux.yml
+++ b/.github/workflows/build-linux.yml
@@ -49,7 +49,7 @@ jobs:
             ivf: ON
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
     - name: Install MKL
       timeout-minutes: 5
       run: |
diff --git a/.github/workflows/build-macos.yaml b/.github/workflows/build-macos.yaml
index 4af0ae0e..8445d32b 100644
--- a/.github/workflows/build-macos.yaml
+++ b/.github/workflows/build-macos.yaml
@@ -44,7 +44,7 @@ jobs:
             needs_prefix: true
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
     - name: Install Compiler
       run: |
diff --git a/.github/workflows/cibuildwheel.yml b/.github/workflows/cibuildwheel.yml
index bf8c58a5..2f9f5cc1 100644
--- a/.github/workflows/cibuildwheel.yml
+++ b/.github/workflows/cibuildwheel.yml
@@ -33,7 +33,7 @@ jobs:
     runs-on: ubuntu-22.04
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
     - name: Build Container
       run: |
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index 6a186f15..a48a2750 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -21,7 +21,7 @@ jobs:
   pre-commit:
     runs-on: ubuntu-24.04
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
     - uses: actions/setup-python@v6
       with:
         python-version: '3.12'