From c18a78ef58a5845d47299fd9063f6556fd77812b Mon Sep 17 00:00:00 2001
From: David Galloway <david.galloway@ibm.com>
Date: Thu, 20 Mar 2025 09:21:27 -0400
Subject: [PATCH] workflows: Pin specific SHAs

Fixes https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup

Signed-off-by: David Galloway <david.galloway@ibm.com>
---
 .github/workflows/create-backport-trackers.yml | 4 ++--
 .github/workflows/stale.yml                    | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/create-backport-trackers.yml b/.github/workflows/create-backport-trackers.yml
index 79b03f62c1c..4706311c59b 100644
--- a/.github/workflows/create-backport-trackers.yml
+++ b/.github/workflows/create-backport-trackers.yml
@@ -37,13 +37,13 @@ jobs:
     runs-on: ubuntu-latest
     if: github.ref == 'refs/heads/main'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           sparse-checkout: | 
               src/script/backport-create-issue
               src/script/requirements.backport-create-issue.txt
           sparse-checkout-cone-mode: false
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: '>=3.6 <3.12'
           cache: 'pip'
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 510a6bebd4e..1805ae36533 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -9,7 +9,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
         with:
           # PAT for GitHub API authentication
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
-- 
2.39.5