From 1386296e21744a0bad6d41288f5ef623780ec30e Mon Sep 17 00:00:00 2001
From: ry-ops <78445050+ry-ops@users.noreply.github.com>
Date: Tue, 5 May 2026 14:35:14 -0500
Subject: [PATCH 1/2] ci: pin checkout, setup-node to commit SHA

---
 .github/workflows/achievement-tracker.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/achievement-tracker.yml b/.github/workflows/achievement-tracker.yml
index 4d36219..dc726bf 100644
--- a/.github/workflows/achievement-tracker.yml
+++ b/.github/workflows/achievement-tracker.yml
@@ -9,10 +9,10 @@ jobs:
   track-achievements:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       
       - name: Setup Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3
         with:
           node-version: '18'
       

From 82eecb1130e6c36281b7bd372c4c2d4aa2de955c Mon Sep 17 00:00:00 2001
From: ry-ops <78445050+ry-ops@users.noreply.github.com>
Date: Tue, 5 May 2026 14:35:15 -0500
Subject: [PATCH 2/2] ci: pin checkout, setup-node, setup-python, actions to
 commit SHA

---
 .github/workflows/security.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 5cd73a6..6e5c22b 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -12,11 +12,11 @@ jobs:
   security:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Setup Node.js
         if: hashFiles('package.json') != ''
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: '18'
 
@@ -31,7 +31,7 @@ jobs:
 
       - name: Setup Python
         if: hashFiles('requirements.txt') != '' || hashFiles('pyproject.toml') != ''
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: '3.12'
 
@@ -43,7 +43,7 @@ jobs:
         continue-on-error: true
 
       - name: Run Snyk Security Scan
-        uses: snyk/actions/node@master
+        uses: snyk/actions/node@9cf6ca713d71123d2d229cc3d7f145b96ea3c518 # master
         continue-on-error: true
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}