From 5360f232ec3bf5a9eea83389287dfaaf2a6c8890 Mon Sep 17 00:00:00 2001
From: Patrick Kaeding <pkaeding@launchdarkly.com>
Date: Mon, 30 Mar 2026 12:05:07 -0400
Subject: [PATCH] [SEC-7924] chore: pin third-party GitHub Actions to commit
 SHAs

Pin all third-party GitHub Actions to full-length commit SHAs to prevent
supply chain attacks. Addresses findings from the
third-party-action-not-pinned-to-commit-sha Semgrep rule.
---
 .github/workflows/ci.yml      | 2 +-
 .github/workflows/release.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7e8e27d..046eaa9 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -114,7 +114,7 @@ jobs:
         with:
           name: targets
           path: targets
-      - uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@3ff19f5e2baf30647122352b96108b1fbe250c64 # v1
         with:
           ruby-version: '2.7'
       - name: Prepare RubyGems / ffi
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3187ddb..3dfd06f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -79,7 +79,7 @@ jobs:
       matrix:
         repo: ['api-client-go', 'api-client-java', 'api-client-python', 'api-client-ruby', 'api-client-typescript']
     steps:
-      - uses: ncipollo/release-action@v1.14.0
+      - uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
         with:
           repo: ${{ matrix.repo }}
           token: ${{ secrets.BOT_TOKEN }}