From 3bb366d91fc06d34c4c5a15a1c5693705908bdbf Mon Sep 17 00:00:00 2001
From: Blake Hastings <blakehastings@outlook.com>
Date: Mon, 1 Jun 2026 09:08:29 -0500
Subject: [PATCH] ci: pin workflow actions to commit SHAs (PROT-39)

Pin actions/checkout (v4), actions/setup-dotnet (v5), and googleapis/release-please-action (v4) to immutable commit SHAs with version comments, closing the supply-chain risk of a moving tag being repointed on this public repo. Majors are unchanged; newer majors (checkout v6, release-please v5) are deferred as a separate evaluation.

Refs: PROT-39

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release-please.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index c32a7e5..ff76ca0 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -24,7 +24,7 @@ jobs:
       # Uses the default GITHUB_TOKEN: the build job runs in this same workflow run (gated on
       # release_created), so the "GITHUB_TOKEN does not trigger downstream workflows" limitation
       # does not apply and no PAT is needed.
-      - uses: googleapis/release-please-action@v4
+      - uses: googleapis/release-please-action@5c625bfb5d1ff62eadeeb3772007f7f66fdcf071 # v4
         id: rp
 
   build:
@@ -39,11 +39,11 @@ jobs:
           - { rid: osx-arm64, os: macos-latest,   ext: '' }
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0          # MinVer needs full history + the tag release-please just created.
 
-      - uses: actions/setup-dotnet@v5
+      - uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5
         with:
           dotnet-version: '10.0.x'