From ef6aed54827292ee2ce8a32eac0302bcf09cccc1 Mon Sep 17 00:00:00 2001
From: Q Bera <q@berachain.com>
Date: Tue, 9 Jun 2026 12:00:26 -0400
Subject: [PATCH] ci: pin GitHub Actions to full commit SHA

---
 .github/workflows/check-fast-forward.yml | 2 +-
 .github/workflows/ci.yml                 | 8 ++++----
 .github/workflows/fast-forward.yml       | 2 +-
 .github/workflows/slither.yaml           | 6 +++---
 .github/workflows/tests-merge.yml        | 6 +++---
 .github/workflows/tests-pr.yml           | 6 +++---
 6 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/check-fast-forward.yml b/.github/workflows/check-fast-forward.yml
index bd529a3..95e5fb0 100644
--- a/.github/workflows/check-fast-forward.yml
+++ b/.github/workflows/check-fast-forward.yml
@@ -37,7 +37,7 @@ jobs:
           fi
 
       - name: Fast forwarding
-        uses: sequoia-pgp/fast-forward@v1
+        uses: sequoia-pgp/fast-forward@ea7628bedcb0b0b96e94383ada458d812fca4979 # v1.0.0
         with:
           merge: false
           comment: on-error # always | never | on-error
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index aecb7fa..fa55254 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -27,15 +27,15 @@ jobs:
     name: ${{ matrix.job_name }}
     steps:
       - name: Check out the repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           submodules: recursive
 
       - name: Install Foundry
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@c7450ba673e133f5ee30098b3b54f444d3a2ca2d # v1.8.0
 
       - name: Install Bun
-        uses: oven-sh/setup-bun@v1
+        uses: oven-sh/setup-bun@f4d14e03ff726c06358e5557344e1da148b56cf7 # v1.2.2
 
       - name: Install the Node.js dependencies
         run: bun install
@@ -50,7 +50,7 @@ jobs:
 
       - if: ${{ matrix.job_name == 'coverage' }}
         name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@v2
+        uses: codecov/codecov-action@f32b3a3741e1053eb607407145bc9619351dc93b # v2.1.0
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: ./test-forge-cover.txt
diff --git a/.github/workflows/fast-forward.yml b/.github/workflows/fast-forward.yml
index ebfe1d5..884d089 100644
--- a/.github/workflows/fast-forward.yml
+++ b/.github/workflows/fast-forward.yml
@@ -41,7 +41,7 @@ jobs:
             exit 1
           fi
       - name: Fast forwarding
-        uses: sequoia-pgp/fast-forward@v1
+        uses: sequoia-pgp/fast-forward@ea7628bedcb0b0b96e94383ada458d812fca4979 # v1.0.0
         with:
           merge: true
           comment: on-error # always | never | on-error
diff --git a/.github/workflows/slither.yaml b/.github/workflows/slither.yaml
index d720fa7..2725c52 100644
--- a/.github/workflows/slither.yaml
+++ b/.github/workflows/slither.yaml
@@ -9,15 +9,15 @@ jobs:
     steps:
       # Add Docker Hub authentication with rate limiting configuration
       - name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
         with:
           username: ${{ secrets.DOCKERHUB_USER }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
           registry: docker.io
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
-      - uses: crytic/slither-action@v0.4.1
+      - uses: crytic/slither-action@4fd765aeef19915d04ddf0be90c2930036a774d8 # v0.4.1
         with:
           fail-on: none
 
diff --git a/.github/workflows/tests-merge.yml b/.github/workflows/tests-merge.yml
index 40ba446..7a08024 100644
--- a/.github/workflows/tests-merge.yml
+++ b/.github/workflows/tests-merge.yml
@@ -14,15 +14,15 @@ jobs:
     timeout-minutes: 30
     steps:
       - name: Check out the repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           submodules: recursive
 
       - name: Install Foundry
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@c7450ba673e133f5ee30098b3b54f444d3a2ca2d # v1.8.0
 
       - name: Install Bun
-        uses: oven-sh/setup-bun@v1
+        uses: oven-sh/setup-bun@f4d14e03ff726c06358e5557344e1da148b56cf7 # v1.2.2
 
       - name: Install the Node.js dependencies
         run: bun install
diff --git a/.github/workflows/tests-pr.yml b/.github/workflows/tests-pr.yml
index 460e22a..195c240 100644
--- a/.github/workflows/tests-pr.yml
+++ b/.github/workflows/tests-pr.yml
@@ -10,15 +10,15 @@ jobs:
     timeout-minutes: 30
     steps:
       - name: Check out the repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           submodules: recursive
 
       - name: Install Foundry
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@c7450ba673e133f5ee30098b3b54f444d3a2ca2d # v1.8.0
 
       - name: Install Bun
-        uses: oven-sh/setup-bun@v1
+        uses: oven-sh/setup-bun@f4d14e03ff726c06358e5557344e1da148b56cf7 # v1.2.2
 
       - name: Install the Node.js dependencies
         run: bun install