From fc037cfafecac8d5073367319502152e885f11a7 Mon Sep 17 00:00:00 2001
From: Marika Marszalkowski <marika.marszalkowski@sap.com>
Date: Wed, 15 Apr 2026 13:52:10 +0200
Subject: [PATCH 1/2] chore: Pin actions to commits not versions

---
 .github/workflows/auto-lint-fix.yml       |  6 +++---
 .github/workflows/build_documentation.yml | 20 +++++++++-----------
 .github/workflows/codeql-analysis.yml     |  8 ++++----
 .github/workflows/release.yml             |  4 ++--
 4 files changed, 18 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/auto-lint-fix.yml b/.github/workflows/auto-lint-fix.yml
index 31a84aeece..1b2be9b2d0 100644
--- a/.github/workflows/auto-lint-fix.yml
+++ b/.github/workflows/auto-lint-fix.yml
@@ -12,7 +12,7 @@ jobs:
     steps:
       - name: Generate GitHub App token
         id: app-token
-        uses: actions/create-github-app-token@v3
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         with:
           app-id: ${{ secrets.SAP_CLOUD_SDK_BOT_CLIENT_ID }}
           private-key: ${{ secrets.SAP_CLOUD_SDK_BOT_PRIVATE_KEY }}
@@ -20,13 +20,13 @@ jobs:
           repositories: cloud-sdk
           permission-contents: write
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.ref }}
           token: ${{ steps.app-token.outputs.token }}
       - name: Setup Node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: 20
       - name: Install dependencies
diff --git a/.github/workflows/build_documentation.yml b/.github/workflows/build_documentation.yml
index 48c498a650..b861eb6f74 100644
--- a/.github/workflows/build_documentation.yml
+++ b/.github/workflows/build_documentation.yml
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Determine Changed Files
         id: changed-files
         run: |
@@ -23,13 +23,11 @@ jobs:
       - name: Vale Linter
         # vale fails if the PR is too large, e.g. when updating API docs
         if: ${{ github.event.pull_request.changed_files < 100 }}
-        # You may pin to the exact commit or the version.
-        # uses: errata-ai/vale-action@0da98680790f89b8d5b685de9c264f55addc971b
-        uses: errata-ai/vale-action@reviewdog
+        uses: vale-cli/vale-action@0135b9fe2b3107365569cc3142b9a1c85221ea2f # reviewdog
         with:
           # version of 'vale' to use
           # see https://github.com/errata-ai/vale for all releases
-          version: 3.0.5
+          version: 3.14.1
           # changed files. computed in the step above
           files: ${{ steps.changed-files.outputs.CHANGED_FILES }}
           # the separator for the file list. we are using a comma (see step above)
@@ -40,10 +38,10 @@ jobs:
           # Required
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
       - name: Setup Node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: 20
-      - uses: actions/cache@v5
+      - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         id: cache
         with:
           path: node_modules
@@ -58,12 +56,12 @@ jobs:
     needs: [checks]
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Setup Node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: 20
-      - uses: actions/cache@v5
+      - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         id: cache
         with:
           path: node_modules
@@ -83,7 +81,7 @@ jobs:
     steps:
       - name: Dependabot metadata
         id: metadata
-        uses: dependabot/fetch-metadata@v3.0.0
+        uses: dependabot/fetch-metadata@ffa630c65fa7e0ecfa0625b5ceda64399aea1b36 # v3.0.0
         with:
           github-token: '${{ secrets.GITHUB_TOKEN }}'
       - name: Approve a PR
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index fdc505181a..73693d892f 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -38,11 +38,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
+      uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
       with:
         languages: ${{ matrix.language }}
         config-file: ./.github/codeql/codeql-config.yml
@@ -56,7 +56,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v4
+      uses: github/codeql-action/autobuild@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -69,4 +69,4 @@ jobs:
     #   ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4
+      uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 590bd5232e..e260ca0489 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,8 +9,8 @@ jobs:
   release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: 24
       - name: Release Documentation to GitHub Pages

From 665ff66f91cbbbb9c7d45d34bc110453b7cb7190 Mon Sep 17 00:00:00 2001
From: Marika Marszalkowski <marika.marszalkowski@sap.com>
Date: Thu, 16 Apr 2026 07:43:28 +0200
Subject: [PATCH 2/2] Update .github/workflows/build_documentation.yml

Co-authored-by: David Knaack <david.knaack@sap.com>
---
 .github/workflows/build_documentation.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build_documentation.yml b/.github/workflows/build_documentation.yml
index b861eb6f74..4ee8da66c2 100644
--- a/.github/workflows/build_documentation.yml
+++ b/.github/workflows/build_documentation.yml
@@ -23,7 +23,7 @@ jobs:
       - name: Vale Linter
         # vale fails if the PR is too large, e.g. when updating API docs
         if: ${{ github.event.pull_request.changed_files < 100 }}
-        uses: vale-cli/vale-action@0135b9fe2b3107365569cc3142b9a1c85221ea2f # reviewdog
+        uses: vale-cli/vale-action@d89dee975228ae261d22c15adcd03578634d429c # v2.1.1
         with:
           # version of 'vale' to use
           # see https://github.com/errata-ai/vale for all releases