From 0a91344536d7053e42413227378a94e7616725ab Mon Sep 17 00:00:00 2001
From: Reimar Bauer <rb.proj@gmail.com>
Date: Tue, 15 Apr 2025 15:52:47 +0200
Subject: [PATCH 01/11] Ensure SHA Pinned Actions

---
 .github/workflows/enforce-sha.yaml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 .github/workflows/enforce-sha.yaml

diff --git a/.github/workflows/enforce-sha.yaml b/.github/workflows/enforce-sha.yaml
new file mode 100644
index 000000000..6638ec31c
--- /dev/null
+++ b/.github/workflows/enforce-sha.yaml
@@ -0,0 +1,22 @@
+on:
+  push:
+    branches:
+    - develop
+    - stable
+    - 'GSOC**'
+  pull_request:
+
+name: Security
+
+jobs:
+  ensure-pinned-actions:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - name: Ensure SHA pinned actions
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@4830be28ce81da52ec70d65c552a7403821d98d4 # v3
+        with:
+          allowlist: |
+            Open-MSS/
+          dry_run: 'true'

From 0532a4a2a9ecddb2d25220b3469f7094039e24e9 Mon Sep 17 00:00:00 2001
From: Reimar Bauer <rb.proj@gmail.com>
Date: Tue, 15 Apr 2025 16:03:48 +0200
Subject: [PATCH 02/11] disabled dry-run

---
 .github/workflows/enforce-sha.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/enforce-sha.yaml b/.github/workflows/enforce-sha.yaml
index 6638ec31c..b75059fa5 100644
--- a/.github/workflows/enforce-sha.yaml
+++ b/.github/workflows/enforce-sha.yaml
@@ -19,4 +19,4 @@ jobs:
         with:
           allowlist: |
             Open-MSS/
-          dry_run: 'true'
+          dry_run: 'false'

From 58d6b9351114328bb7ec0e7f16bb800b3f1de924 Mon Sep 17 00:00:00 2001
From: Reimar Bauer <rb.proj@gmail.com>
Date: Wed, 16 Apr 2025 17:06:20 +0200
Subject: [PATCH 03/11] try frizbee

---
 .github/workflows/enforce-sha.yaml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/.github/workflows/enforce-sha.yaml b/.github/workflows/enforce-sha.yaml
index b75059fa5..c8b4ed19f 100644
--- a/.github/workflows/enforce-sha.yaml
+++ b/.github/workflows/enforce-sha.yaml
@@ -20,3 +20,26 @@ jobs:
           allowlist: |
             Open-MSS/
           dry_run: 'false'
+
+jobs:
+  frizbee_check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: stacklok/frizbee-action@a0f3391cbe93a54e2a68cfaca2283f8cf3fd72ea # v0.0.2
+        with:
+          actions: .github/workflows
+          open_pr: true
+          fail_on_unpinned: true
+          token: ${{ secrets.PAT }}
+          branch: automation/update-sha
+          add-paths:
+            - build_docs_gallery.yml
+            - lint.yml
+            - testing-all-oses.yml
+            - update-pixi-lockfile.yml
+          delete-branch: true
+          commit-message: Update sha of actions
+          title: Update sha of actions
+          body-path: diff.md

From 5f5a3733d8ac5076a2ce71d9683b8f8390155ae7 Mon Sep 17 00:00:00 2001
From: Reimar Bauer <rb.proj@gmail.com>
Date: Wed, 16 Apr 2025 17:10:57 +0200
Subject: [PATCH 04/11] syntax fixed

---
 .github/workflows/enforce-sha.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/enforce-sha.yaml b/.github/workflows/enforce-sha.yaml
index c8b4ed19f..d0ded9252 100644
--- a/.github/workflows/enforce-sha.yaml
+++ b/.github/workflows/enforce-sha.yaml
@@ -21,7 +21,6 @@ jobs:
             Open-MSS/
           dry_run: 'false'
 
-jobs:
   frizbee_check:
     runs-on: ubuntu-latest
     steps:

From 083bbdbf48bbd9e433cc774108563bd2f52d8572 Mon Sep 17 00:00:00 2001
From: Reimar Bauer <rb.proj@gmail.com>
Date: Wed, 16 Apr 2025 17:15:57 +0200
Subject: [PATCH 05/11] undo

---
 .github/workflows/enforce-sha.yaml | 22 ----------------------
 1 file changed, 22 deletions(-)

diff --git a/.github/workflows/enforce-sha.yaml b/.github/workflows/enforce-sha.yaml
index d0ded9252..b75059fa5 100644
--- a/.github/workflows/enforce-sha.yaml
+++ b/.github/workflows/enforce-sha.yaml
@@ -20,25 +20,3 @@ jobs:
           allowlist: |
             Open-MSS/
           dry_run: 'false'
-
-  frizbee_check:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-      - uses: stacklok/frizbee-action@a0f3391cbe93a54e2a68cfaca2283f8cf3fd72ea # v0.0.2
-        with:
-          actions: .github/workflows
-          open_pr: true
-          fail_on_unpinned: true
-          token: ${{ secrets.PAT }}
-          branch: automation/update-sha
-          add-paths:
-            - build_docs_gallery.yml
-            - lint.yml
-            - testing-all-oses.yml
-            - update-pixi-lockfile.yml
-          delete-branch: true
-          commit-message: Update sha of actions
-          title: Update sha of actions
-          body-path: diff.md

From 5f8cca6cc83b6290f2b4b65667248efc002fb604 Mon Sep 17 00:00:00 2001
From: Reimar Bauer <rb.proj@gmail.com>
Date: Wed, 16 Apr 2025 20:29:46 +0200
Subject: [PATCH 06/11] try frizbee

---
 .github/workflows/frizbee.yaml             | 19 +++++++++++++++++++
 .github/workflows/lint.yml                 |  4 ++--
 .github/workflows/update-pixi-lockfile.yml |  4 ++--
 3 files changed, 23 insertions(+), 4 deletions(-)
 create mode 100644 .github/workflows/frizbee.yaml

diff --git a/.github/workflows/frizbee.yaml b/.github/workflows/frizbee.yaml
new file mode 100644
index 000000000..1aae9d654
--- /dev/null
+++ b/.github/workflows/frizbee.yaml
@@ -0,0 +1,19 @@
+name: Frizbee Pinned ActionsCheck
+
+on:
+  schedule:
+    - cron: '0 0 * * *' # Run every day at midnight
+  workflow_dispatch:
+
+jobs:
+  frizbee_check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: stacklok/frizbee-action@a0f3391cbe93a54e2a68cfaca2283f8cf3fd72ea # v0.0.2
+        with:
+          token: ${{ secrets.PAT }}
+          actions: .github/workflows
+          open_pr: true
+          fail_on_unpinned: true
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index c0c13bf86..ed8afb23e 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -43,7 +43,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
     - name: Check for CRLF in the repository
       run: |
         files_with_crlf="$(git ls-files --eol | awk '$1 ~ "crlf"')"
@@ -54,7 +54,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
     - name: Check for whitespace issues in the repository
       # The two example.txt files need to be excluded because whitespace at EOL is part
       # of their format and they fail to parse otherwise.
diff --git a/.github/workflows/update-pixi-lockfile.yml b/.github/workflows/update-pixi-lockfile.yml
index 921f5646b..9c88fe6d8 100644
--- a/.github/workflows/update-pixi-lockfile.yml
+++ b/.github/workflows/update-pixi-lockfile.yml
@@ -15,7 +15,7 @@ jobs:
       matrix:
         base_branch: ["develop", "stable"]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           ref: ${{ matrix.base_branch }}
       - name: Generate new lockfile
@@ -28,7 +28,7 @@ jobs:
           set -o pipefail
           pixi update --json | pixi exec pixi-diff-to-markdown >> diff.md
       - name: Create or update pull request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
         with:
           token: ${{ secrets.PAT }}
           branch: automation/update-pixi-lockfile

From 05a0d7e0673c5670ea5043e032774747fab4d917 Mon Sep 17 00:00:00 2001
From: Reimar Bauer <rb.proj@gmail.com>
Date: Wed, 16 Apr 2025 20:37:35 +0200
Subject: [PATCH 07/11] hash updated by frizbee

---
 .github/workflows/build_docs_gallery.yml   | 4 ++--
 .github/workflows/lint.yml                 | 8 ++++----
 .github/workflows/testing-all-oses.yml     | 4 ++--
 .github/workflows/update-pixi-lockfile.yml | 2 +-
 4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/build_docs_gallery.yml b/.github/workflows/build_docs_gallery.yml
index 4062b932b..fbbaebfe0 100644
--- a/.github/workflows/build_docs_gallery.yml
+++ b/.github/workflows/build_docs_gallery.yml
@@ -7,8 +7,8 @@ jobs:
   Test-MSS-docs:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-    - uses: prefix-dev/setup-pixi@v0.8.7
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+    - uses: prefix-dev/setup-pixi@5044b250243a57e8c78f7c38acd73f6d7954a3cf # v0.8.7
       with:
         pixi-version: latest
         cache: true
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index ed8afb23e..0c701b5f1 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -17,8 +17,8 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-    - uses: actions/checkout@v4
-    - uses: prefix-dev/setup-pixi@v0.8.7
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+    - uses: prefix-dev/setup-pixi@5044b250243a57e8c78f7c38acd73f6d7954a3cf # v0.8.7
       with:
         pixi-version: latest
         cache: true
@@ -30,8 +30,8 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-    - uses: actions/checkout@v4
-    - uses: prefix-dev/setup-pixi@v0.8.7
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+    - uses: prefix-dev/setup-pixi@5044b250243a57e8c78f7c38acd73f6d7954a3cf # v0.8.7
       with:
         pixi-version: latest
         cache: true
diff --git a/.github/workflows/testing-all-oses.yml b/.github/workflows/testing-all-oses.yml
index a01e33cbb..356a7c136 100644
--- a/.github/workflows/testing-all-oses.yml
+++ b/.github/workflows/testing-all-oses.yml
@@ -20,8 +20,8 @@ jobs:
       matrix:
         os: ["macos-13", "macos-14", "ubuntu-latest"]
     steps:
-    - uses: actions/checkout@v4
-    - uses: prefix-dev/setup-pixi@v0.8.7
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+    - uses: prefix-dev/setup-pixi@5044b250243a57e8c78f7c38acd73f6d7954a3cf # v0.8.7
       with:
         pixi-version: latest
         cache: true
diff --git a/.github/workflows/update-pixi-lockfile.yml b/.github/workflows/update-pixi-lockfile.yml
index 9c88fe6d8..47aeb10e8 100644
--- a/.github/workflows/update-pixi-lockfile.yml
+++ b/.github/workflows/update-pixi-lockfile.yml
@@ -19,7 +19,7 @@ jobs:
         with:
           ref: ${{ matrix.base_branch }}
       - name: Generate new lockfile
-        uses: prefix-dev/setup-pixi@v0.8.7
+        uses: prefix-dev/setup-pixi@5044b250243a57e8c78f7c38acd73f6d7954a3cf # v0.8.7
         with:
           pixi-version: latest
           run-install: false

From 67cfb735df7d59065a5aafaade1c089c171bb559 Mon Sep 17 00:00:00 2001
From: Reimar Bauer <rb.proj@gmail.com>
Date: Wed, 16 Apr 2025 20:46:26 +0200
Subject: [PATCH 08/11] updated and a missing sha

---
 .github/workflows/frizbee.yaml | 9 +++++++--
 .github/workflows/lint.yml     | 2 +-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/frizbee.yaml b/.github/workflows/frizbee.yaml
index 1aae9d654..760d670cf 100644
--- a/.github/workflows/frizbee.yaml
+++ b/.github/workflows/frizbee.yaml
@@ -1,4 +1,4 @@
-name: Frizbee Pinned ActionsCheck
+name: Frizbee Pinned Actions Check
 
 on:
   schedule:
@@ -11,9 +11,14 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-      - uses: stacklok/frizbee-action@a0f3391cbe93a54e2a68cfaca2283f8cf3fd72ea # v0.0.2
+        with:
+          ref: ${{ matrix.base_branch }}
+      - name: Update hashes
+        uses: stacklok/frizbee-action@a0f3391cbe93a54e2a68cfaca2283f8cf3fd72ea # v0.0.2
         with:
           token: ${{ secrets.PAT }}
+          branch: automation/frizbee-sha
+          delete-branch: true
           actions: .github/workflows
           open_pr: true
           fail_on_unpinned: true
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 0c701b5f1..73ccbcf4f 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+    - uses: actions/checkout@v4
     - uses: prefix-dev/setup-pixi@5044b250243a57e8c78f7c38acd73f6d7954a3cf # v0.8.7
       with:
         pixi-version: latest

From f46b7065a098dc375d227d5e55fb8adc7137a09f Mon Sep 17 00:00:00 2001
From: Reimar Bauer <rb.proj@gmail.com>
Date: Thu, 17 Apr 2025 13:46:42 +0200
Subject: [PATCH 09/11] name

---
 .github/workflows/enforce-sha.yaml |  2 +-
 .github/workflows/frizbee.yaml     | 24 ------------------------
 2 files changed, 1 insertion(+), 25 deletions(-)
 delete mode 100644 .github/workflows/frizbee.yaml

diff --git a/.github/workflows/enforce-sha.yaml b/.github/workflows/enforce-sha.yaml
index b75059fa5..e6bab3166 100644
--- a/.github/workflows/enforce-sha.yaml
+++ b/.github/workflows/enforce-sha.yaml
@@ -6,7 +6,7 @@ on:
     - 'GSOC**'
   pull_request:
 
-name: Security
+name: lint with ensure-sha-pinned-actions
 
 jobs:
   ensure-pinned-actions:
diff --git a/.github/workflows/frizbee.yaml b/.github/workflows/frizbee.yaml
deleted file mode 100644
index 760d670cf..000000000
--- a/.github/workflows/frizbee.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-name: Frizbee Pinned Actions Check
-
-on:
-  schedule:
-    - cron: '0 0 * * *' # Run every day at midnight
-  workflow_dispatch:
-
-jobs:
-  frizbee_check:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          ref: ${{ matrix.base_branch }}
-      - name: Update hashes
-        uses: stacklok/frizbee-action@a0f3391cbe93a54e2a68cfaca2283f8cf3fd72ea # v0.0.2
-        with:
-          token: ${{ secrets.PAT }}
-          branch: automation/frizbee-sha
-          delete-branch: true
-          actions: .github/workflows
-          open_pr: true
-          fail_on_unpinned: true

From c5b895633286448d757d7911ae5fb70e3c9a6527 Mon Sep 17 00:00:00 2001
From: Reimar Bauer <rb.proj@gmail.com>
Date: Thu, 17 Apr 2025 13:54:14 +0200
Subject: [PATCH 10/11] moved to lint

---
 .github/workflows/enforce-sha.yaml | 22 ----------------------
 .github/workflows/lint.yml         | 11 +++++++++++
 2 files changed, 11 insertions(+), 22 deletions(-)
 delete mode 100644 .github/workflows/enforce-sha.yaml

diff --git a/.github/workflows/enforce-sha.yaml b/.github/workflows/enforce-sha.yaml
deleted file mode 100644
index e6bab3166..000000000
--- a/.github/workflows/enforce-sha.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-on:
-  push:
-    branches:
-    - develop
-    - stable
-    - 'GSOC**'
-  pull_request:
-
-name: lint with ensure-sha-pinned-actions
-
-jobs:
-  ensure-pinned-actions:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-      - name: Ensure SHA pinned actions
-        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@4830be28ce81da52ec70d65c552a7403821d98d4 # v3
-        with:
-          allowlist: |
-            Open-MSS/
-          dry_run: 'false'
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 0c701b5f1..d9354b763 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -68,3 +68,14 @@ jobs:
         )"
         echo "$issues"
         [ "$issues" == "" ] || exit 1
+
+  ensure-sha-pinned-actions:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - name: Ensure SHA pinned actions
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@4830be28ce81da52ec70d65c552a7403821d98d4 # v3
+        with:
+          allowlist: |
+            Open-MSS/
+          dry_run: 'false'

From 71aaf6fa35fdf2a6cbe63c38a11837241bd29468 Mon Sep 17 00:00:00 2001
From: ReimarBauer <rb.proj@gmail.com>
Date: Fri, 18 Apr 2025 15:03:51 +0200
Subject: [PATCH 11/11] Update .github/workflows/lint.yml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Matthias Riße <9308656+matrss@users.noreply.github.com>
---
 .github/workflows/lint.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index d9354b763..334327897 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -78,4 +78,3 @@ jobs:
         with:
           allowlist: |
             Open-MSS/
-          dry_run: 'false'