From bde35986452e8640815cb816e745392eea31d18a Mon Sep 17 00:00:00 2001
From: achingbrain <alex@achingbrain.net>
Date: Wed, 24 Sep 2025 10:57:33 +0300
Subject: [PATCH] chore: pin release please fork version

Work around https://github.com/googleapis/release-please/issues/2265
by using a fork of release-please-action with the fix applied.

Pins the version to a specific commit to prevent supply chain attack.
---
 .github/workflows/main.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 2148f95a0f..457293f7ed 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -259,7 +259,10 @@ jobs:
       id-token: write
       pull-requests: write
     steps:
-      - uses: gvillo/release-please-action@v4.2.1-gvillo
+      # use fork to work around https://github.com/googleapis/release-please/issues/2265
+      # can probably be reverted once extra modules added to perform v3 release
+      # are removed (gossipsub, noise, yamux, libp2p-daemon-*, interop, etc).
+      - uses: gvillo/release-please-action@93642002875a0df65de8abeeeabcaeacb7c735f4 # v4.2.1-gvillo
         id: release
         with:
           token: ${{ secrets.UCI_GITHUB_TOKEN || github.token }}