From b44c0f625f8b40371917ae6e2755a56f433128f2 Mon Sep 17 00:00:00 2001
From: Etienne Stalmans <etienne@supabase.io>
Date: Tue, 12 May 2026 12:18:05 +0200
Subject: [PATCH] chore: pin actions to sha

---
 .github/workflows/coverage.yml    | 14 +++++++-------
 .github/workflows/pre-commit.yaml |  4 ++--
 .github/workflows/release.yml     |  8 ++++----
 .github/workflows/test.yml        |  2 +-
 4 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
index c276f103..3eb58228 100644
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Add postgres package repo
         run: |
@@ -27,7 +27,7 @@ jobs:
           wget -qO- https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo tee /etc/apt/trusted.gpg.d/pgdg.asc &>/dev/null
 
       - name: Cache APT packages
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         id: apt-cache
         with:
           path: ~/apt-cache
@@ -47,12 +47,12 @@ jobs:
           cp /var/cache/apt/archives/*.deb ~/apt-cache/ 2>/dev/null || true
 
       - name: Install Rust toolchain
-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
         with:
           components: llvm-tools-preview
 
       - name: Cache cargo binaries
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         id: cargo-bins
         with:
           path: ${{ github.workspace }}/.cargo-bin-cache
@@ -72,7 +72,7 @@ jobs:
           cp ~/.cargo/bin/cargo-llvm-cov ~/.cargo/bin/cargo-pgrx ${{ github.workspace }}/.cargo-bin-cache/
 
       - name: Cache pgrx init
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         id: pgrx-init
         with:
           path: ~/.pgrx
@@ -84,7 +84,7 @@ jobs:
           cargo pgrx init --pg${{ env.PG_VERSION }}=/usr/lib/postgresql/${{ env.PG_VERSION }}/bin/pg_config
 
       - name: Cache Rust build
-        uses: Swatinem/rust-cache@v2
+        uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
 
       - name: Build and run coverage
         run: |
@@ -102,7 +102,7 @@ jobs:
           cargo llvm-cov report --lcov --output-path lcov.info
 
       - name: Coveralls upload
-        uses: coverallsapp/github-action@v2
+        uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           path-to-lcov: lcov.info
diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
index 79f386be..4d302b68 100644
--- a/.github/workflows/pre-commit.yaml
+++ b/.github/workflows/pre-commit.yaml
@@ -12,10 +12,10 @@ jobs:
 
     steps:
     - name: checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
     - name: set up python 3.12
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: 3.12
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 20f8b20a..31c5c0d0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -16,10 +16,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Create Release
         id: create_release
-        uses: actions/create-release@v1
+        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -51,7 +51,7 @@ jobs:
     runs-on: ${{ matrix.box.runner }}
     timeout-minutes: 90
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: build release artifacts
         run: |
@@ -137,7 +137,7 @@ jobs:
         run: echo UPLOAD_URL=$(curl --silent https://api.github.com/repos/${{ github.repository }}/releases/latest | jq .upload_url --raw-output) >> $GITHUB_ENV
 
       - name: Upload release asset
-        uses: actions/upload-release-asset@v1
+        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 15f08b15..d104e043 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Build docker images
         run: PG_VERSION=${{ matrix.postgres }} docker compose -f .ci/docker-compose.yml build