From 2c9cdd75acf614fb3b1e5d26182c04d1bb0db8c8 Mon Sep 17 00:00:00 2001
From: "Vitaly D." <netmin@pm.me>
Date: Fri, 29 May 2026 17:07:50 +0300
Subject: [PATCH] chore: update repo-governance actions to v0.4.0

Why:
- repo-governance v0.4.0 is the release that contains the current PR intake gate and Codex readiness fixes.
- Signum pins external actions to full commit SHAs, so the rollout should use the v0.4.0 release commit instead of the tag.

What changed:
- Update the PR Intake Gate workflow to the v0.4.0 repo-governance commit SHA.
- Sync the GitHub action pin inventory fixture and original-ref comment with the v0.4.0 source ref.

Testing:
- bash tests/test-github-action-pinning.sh
- git diff --check

Risk:
- narrow - only the shared repo-governance action ref and its static pin inventory changed; local PR intake policy semantics are unchanged.
---
 .github/workflows/pr-intake-gate.yml   |  4 ++--
 tests/fixtures/github-action-pins.json | 10 +++++-----
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/pr-intake-gate.yml b/.github/workflows/pr-intake-gate.yml
index 81bab62..65e0469 100644
--- a/.github/workflows/pr-intake-gate.yml
+++ b/.github/workflows/pr-intake-gate.yml
@@ -31,8 +31,8 @@ jobs:
           persist-credentials: false
 
       - name: Run PR intake gate
-        # pinned from heurema/repo-governance/actions/pr-intake-gate@main
-        uses: heurema/repo-governance/actions/pr-intake-gate@a1f0c72edbbbe0513471b973e5afc799e7c51da1
+        # pinned from heurema/repo-governance/actions/pr-intake-gate@v0.4.0
+        uses: heurema/repo-governance/actions/pr-intake-gate@f6a16882fd5e28968d77be063bb0ed4dca266c99
         with:
           policy-path: .github/pr-intake-gate.yml
           github-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/tests/fixtures/github-action-pins.json b/tests/fixtures/github-action-pins.json
index b7cbe38..500ba1b 100644
--- a/tests/fixtures/github-action-pins.json
+++ b/tests/fixtures/github-action-pins.json
@@ -49,15 +49,15 @@
     {
       "file": ".github/workflows/pr-intake-gate.yml",
       "occurrence": 2,
-      "uses": "heurema/repo-governance/actions/pr-intake-gate@a1f0c72edbbbe0513471b973e5afc799e7c51da1",
+      "uses": "heurema/repo-governance/actions/pr-intake-gate@f6a16882fd5e28968d77be063bb0ed4dca266c99",
       "kind": "external_action",
       "action": "heurema/repo-governance/actions/pr-intake-gate",
       "status": "pinned",
-      "originalRef": "main",
-      "pinnedSha": "a1f0c72edbbbe0513471b973e5afc799e7c51da1",
+      "originalRef": "v0.4.0",
+      "pinnedSha": "f6a16882fd5e28968d77be063bb0ed4dca266c99",
       "note": "pinned to full-length GitHub commit SHA; original ref preserved in adjacent YAML comment",
-      "resolution": "git rev-parse heurema/repo-governance main",
-      "peeledTagUsed": false
+      "resolution": "git rev-parse heurema/repo-governance v0.4.0^{commit}",
+      "peeledTagUsed": true
     },
     {
       "file": ".github/workflows/release-guardrails.yml",