From ddd6e460a1dd6d95c7d44ced64a3eae029846fa2 Mon Sep 17 00:00:00 2001
From: Codacy Security Bot <security-bot@codacy.com>
Date: Tue, 24 Mar 2026 18:13:51 +0000
Subject: [PATCH] Security: pin GitHub Actions to SHA hashes

Replaces mutable tag/branch references with immutable SHA hashes
to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026).

Actions left as tags: 0
---
 .github/workflows/deleted-files.yml  | 6 +++---
 .github/workflows/docusaurus.yml     | 6 +++---
 .github/workflows/enforce-labels.yml | 2 +-
 .github/workflows/jira.yml           | 8 ++++----
 .github/workflows/readability.yml    | 4 ++--
 5 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/deleted-files.yml b/.github/workflows/deleted-files.yml
index 43061cc37b..a738dff2e4 100644
--- a/.github/workflows/deleted-files.yml
+++ b/.github/workflows/deleted-files.yml
@@ -11,11 +11,11 @@ jobs:
     name: Detect deleted files
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Get changed docs md files
         id: changed-files
-        uses: tj-actions/changed-files@v45
+        uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c # v45
         with:
           files: docs/**/*.md
 
@@ -30,7 +30,7 @@ jobs:
 
       - name: Comment PR if there are deleted files
         if: steps.changed-files.outputs.any_deleted == 'true'
-        uses: thollander/actions-comment-pull-request@v2
+        uses: thollander/actions-comment-pull-request@fabd468d3a1a0b97feee5f6b9e499eab0dd903f6 # v2
         with:
           message: |
             ## Remember to add redirects
diff --git a/.github/workflows/docusaurus.yml b/.github/workflows/docusaurus.yml
index d22ca42da1..6791451172 100644
--- a/.github/workflows/docusaurus.yml
+++ b/.github/workflows/docusaurus.yml
@@ -23,10 +23,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 20
           cache: npm
@@ -39,7 +39,7 @@ jobs:
         run: npm run build
 
       - name: Deploy to gh-pages
-        uses: peaceiris/actions-gh-pages@v4
+        uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: docusaurus/build
diff --git a/.github/workflows/enforce-labels.yml b/.github/workflows/enforce-labels.yml
index 125dfcb739..fb5c57d10b 100644
--- a/.github/workflows/enforce-labels.yml
+++ b/.github/workflows/enforce-labels.yml
@@ -8,6 +8,6 @@ jobs:
   enforce-label:
     runs-on: ubuntu-latest
     steps:
-    - uses: yogevbd/enforce-label-action@2.2.2
+    - uses: yogevbd/enforce-label-action@a3c219da6b8fa73f6ba62b68ff09c469b3a1c024 # 2.2.2
       with:
         BANNED_LABELS: "don't merge"
diff --git a/.github/workflows/jira.yml b/.github/workflows/jira.yml
index 308e5800e8..502a1f7f61 100644
--- a/.github/workflows/jira.yml
+++ b/.github/workflows/jira.yml
@@ -10,7 +10,7 @@ jobs:
     steps:
       - name: Jira login
         id: login
-        uses: atlassian/gajira-login@v3.0.1
+        uses: atlassian/gajira-login@45fd029b9f1d6d8926c6f04175aa80c0e42c9026 # v3.0.1
         env:
           JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
           JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
@@ -18,7 +18,7 @@ jobs:
 
       - name: Create Jira issue
         id: create_jira_issue
-        uses: atlassian/gajira-create@v3
+        uses: atlassian/gajira-create@1ff0b6bd115a780592b47bfbb63fc4629132e6ec # v3
         with:
           project: DOCS
           issuetype: Bug
@@ -33,7 +33,7 @@ jobs:
           fields: '{"customfield_10009": "DOCS-162", "labels": ["Quality"]}'
 
       - name: Update title of GitHub issue
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         env:
           JIRA_ISSUE_NUMBER: ${{ steps.create_jira_issue.outputs.issue }}
           GITHUB_ORIGINAL_TITLE: ${{ github.event.issue.title }}
@@ -49,7 +49,7 @@ jobs:
             })
 
       - name: Add comment to GitHub issue
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
diff --git a/.github/workflows/readability.yml b/.github/workflows/readability.yml
index b8fab7829d..8072c1f57e 100644
--- a/.github/workflows/readability.yml
+++ b/.github/workflows/readability.yml
@@ -9,10 +9,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo with history
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
-      - uses: Rebilly/lexi@v2
+      - uses: Rebilly/lexi@5a517542b048ca8cb46e43f27736fed84dfb0e84 # v2
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           glob: 'docs/**/*.md'
\ No newline at end of file