From 0df6501d90e69af4987e5227dda40eedd8c59bd7 Mon Sep 17 00:00:00 2001
From: Shehab Anwer <habanwer@users.noreply.github.com>
Date: Wed, 11 Mar 2026 03:14:47 +0200
Subject: [PATCH] ci: pin all GitHub Actions to immutable commit SHAs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replace mutable version tags with full commit SHAs to prevent
supply-chain attacks via tag mutation.  Version comments retained
for readability.

SHA mapping (resolved 2026-03-11):
- actions/checkout v4         → 34e11487
- actions/setup-python v5     → a26af69b
- actions/upload-artifact v4  → ea165f8d
- github/codeql-action v3    → 820e3160

Already pinned (unchanged):
- pypa/gh-action-pip-audit    → ecbf276b (v1.1.0)
- ossf/scorecard-action       → 0864cf19 (v2.4.0)

Affected workflows: codeql-analysis, semgrep, bandit, pip-audit, scorecard.
---
 .github/workflows/bandit.yml          | 8 ++++----
 .github/workflows/codeql-analysis.yml | 8 ++++----
 .github/workflows/pip-audit.yml       | 4 ++--
 .github/workflows/scorecard.yml       | 4 ++--
 .github/workflows/semgrep.yml         | 4 ++--
 5 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml
index 9707c18..2f7c7b7 100644
--- a/.github/workflows/bandit.yml
+++ b/.github/workflows/bandit.yml
@@ -34,9 +34,9 @@ jobs:
       contents: read
       security-events: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
         with:
           python-version: '3.12'
 
@@ -51,14 +51,14 @@ jobs:
 
       - name: Upload SARIF
         if: always()
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@820e3160e279568db735cee8ed8f8e77a6da7818  # v3
         with:
           sarif_file: bandit.sarif
           category: bandit
 
       - name: Upload JSON report
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4
         with:
           name: bandit-report
           path: bandit-report.json
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index d9ff30b..69de781 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -42,17 +42,17 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@820e3160e279568db735cee8ed8f8e77a6da7818  # v3
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
+      uses: github/codeql-action/autobuild@820e3160e279568db735cee8ed8f8e77a6da7818  # v3
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@820e3160e279568db735cee8ed8f8e77a6da7818  # v3
       with:
         category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/pip-audit.yml b/.github/workflows/pip-audit.yml
index c7e05f0..58984f5 100644
--- a/.github/workflows/pip-audit.yml
+++ b/.github/workflows/pip-audit.yml
@@ -24,10 +24,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
         with:
           python-version: "3.12"
 
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 7994fd6..53ee548 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -27,7 +27,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
         with:
           persist-credentials: false
 
@@ -39,7 +39,7 @@ jobs:
           publish_results: true
 
       - name: Upload SARIF to Code Scanning
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@820e3160e279568db735cee8ed8f8e77a6da7818  # v3
         if: always()
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
index e85e6d3..4067f5f 100644
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@@ -38,13 +38,13 @@ jobs:
       contents: read
       security-events: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
 
       - name: Semgrep scan
         run: semgrep scan --config=auto --sarif -o semgrep.sarif || true
 
       - name: Upload SARIF
         if: always()
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@820e3160e279568db735cee8ed8f8e77a6da7818  # v3
         with:
           sarif_file: semgrep.sarif