More GH action version pinning

cowtowncoder · cowtowncoder · commit ee9dc0feffec · 2026-02-20T10:07:13.000-08:00
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
@@ -14,13 +14,13 @@ jobs:
     steps:
     - name: Build Fuzzers
       id: build
-      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
+      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@95357244dd046184828bfaec7f80b0881a284d80 # master (2026-02-20)
       with:
         oss-fuzz-project-name: 'jackson-core'
         dry-run: false
         language: jvm
     - name: Run Fuzzers
-      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
+      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@95357244dd046184828bfaec7f80b0881a284d80 # master (2026-02-20)
       with:
         oss-fuzz-project-name: 'jackson-core'
         fuzz-seconds: 1200
diff --git a/.github/workflows/coverage-comment.yml b/.github/workflows/coverage-comment.yml
@@ -14,7 +14,7 @@ jobs:
     if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
     steps:
     - name: Download comment artifact
-      uses: actions/download-artifact@v7
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
       with:
         name: pr-comment
         path: pr-comment/
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -78,7 +78,7 @@ jobs:
       actions: read # To read the workflow path.
       id-token: write # To sign the provenance.
       contents: write # To add assets to a release.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0
     with:
       base64-subjects: "${{ needs.release.outputs.hash }}"
       provenance-name: "${{ needs.release.outputs.artifact_name }}.jar.intoto.jsonl"
