From 5bea778f3f94947e02a609282ce333c58e35e52e Mon Sep 17 00:00:00 2001
From: youngjk <yj42kim@gmail.com>
Date: Tue, 21 Apr 2026 11:11:14 -0400
Subject: [PATCH] SEC-178: pin GitHub Action refs to full SHAs

Pins actions/checkout@v6 and actions/setup-python@v6 in ci.yml and
publish.yml to the full commit SHAs of the v6 tags as of 2026-04-21.

Required before the org-wide sha_pinning_required policy
(rootlyhq/terraform-rootly#891) lands; otherwise this repo's CI
would fail validation at the "Set up job" step on first run after
apply.

SHAs:
  actions/checkout@v6        -> de0fac2e4500dabe0009e67214ff5f5447ce83dd
  actions/setup-python@v6    -> a309ff8b426b58ec0e2a45f0f869d46889d02405

Linear: SEC-178 (follow-up to SEC-89).
---
 .github/workflows/ci.yml      | 8 ++++----
 .github/workflows/publish.yml | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ab927f5a..bb112580 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -10,10 +10,10 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: '3.12'
 
@@ -35,10 +35,10 @@ jobs:
       matrix:
         python-version: ['3.10', '3.11', '3.12']
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: ${{ matrix.python-version }}
 
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index d2ae385c..7bb71dd4 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -10,10 +10,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: '3.12'