From 0730652ac9fbe29255dfd7094d59952bce448dce Mon Sep 17 00:00:00 2001
From: GaltRanch <bruno@nexocore.uy>
Date: Sun, 24 May 2026 10:12:16 -0300
Subject: [PATCH] ci: pin third-party Actions to commit SHAs (CWE-829)

Signed-off-by: GaltRanch <bruno@nexocore.uy>
---
 .github/workflows/build.yml      | 12 ++++++++----
 .github/workflows/cpp-linter.yml |  6 ++++--
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e5c90670..2c5eb238 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -53,7 +53,8 @@ jobs:
     #   run: make gcov
 
     - name: Upload 
-      uses: codecov/codecov-action@v5
+      # audit-note:cloud-006-gha-third-party-no-sha — Pin to a 40-char commit SHA. Tag refs are mutable and a repo takeover compromises every workflow using @v1.
+      uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5
       with:
         token: ${{ secrets.CODECOV_TOKEN }}
         files: 'coverage/*.c.gcov'
@@ -149,7 +150,8 @@ jobs:
     #   run: make gcov
 
     - name: Upload 
-      uses: codecov/codecov-action@v4
+      # audit-note:cloud-006-gha-third-party-no-sha — Pin to a 40-char commit SHA. Tag refs are mutable and a repo takeover compromises every workflow using @v1.
+      uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
       with:
         token: ${{ secrets.CODECOV_TOKEN }}
         files: 'coverage/*.c.gcov'
@@ -202,7 +204,8 @@ jobs:
       run: source ~/.bashrc && make gcov
 
     - name: Upload 
-      uses: codecov/codecov-action@v4
+      # audit-note:cloud-006-gha-third-party-no-sha — Pin to a 40-char commit SHA. Tag refs are mutable and a repo takeover compromises every workflow using @v1.
+      uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
       with:
         token: ${{ secrets.CODECOV_TOKEN }}
         files: 'coverage/*.c.gcov'
@@ -235,7 +238,8 @@ jobs:
     #   run: make gcov
 
     - name: Upload 
-      uses: codecov/codecov-action@v4
+      # audit-note:cloud-006-gha-third-party-no-sha — Pin to a 40-char commit SHA. Tag refs are mutable and a repo takeover compromises every workflow using @v1.
+      uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
       with:
         token: ${{ secrets.CODECOV_TOKEN }}
         files: 'coverage/*.c.gcov'
diff --git a/.github/workflows/cpp-linter.yml b/.github/workflows/cpp-linter.yml
index 7aee2d04..5d8ea7da 100644
--- a/.github/workflows/cpp-linter.yml
+++ b/.github/workflows/cpp-linter.yml
@@ -14,7 +14,8 @@ jobs:
         run: sudo apt-get update && sudo apt-get install -y clang-format
 
       - name: Run Linter
-        uses: DoozyX/clang-format-lint-action@v0.15
+        # audit-note:cloud-006-gha-third-party-no-sha — Pin to a 40-char commit SHA. Tag refs are mutable and a repo takeover compromises every workflow using @v1.
+        uses: DoozyX/clang-format-lint-action@c71d0bf4e21876ebec3e5647491186f8797fde31 # v0.15
         with:
           source: '.'
           extensions: 'c,h'
@@ -23,7 +24,8 @@ jobs:
           inplace: true
 
       - name: Auto-Commit Formatting Changes
-        uses: stefanzweifel/git-auto-commit-action@v5
+        # audit-note:cloud-006-gha-third-party-no-sha — Pin to a 40-char commit SHA. Tag refs are mutable and a repo takeover compromises every workflow using @v1.
+        uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5
         with:
           commit_message: 'style: auto-format via clang-format'