From dc0632efd1189efb27c8c69f0c8ae4040e632a60 Mon Sep 17 00:00:00 2001
From: slawomirbabicz <111378977+slawomirbabicz@users.noreply.github.com>
Date: Fri, 10 Apr 2026 16:19:02 +0200
Subject: [PATCH 1/4] chore: pin actions to SHA in
 .github/workflows/publish.yml

---
 .github/workflows/publish.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 2039ae2..515df34 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -18,7 +18,7 @@ jobs:
       version_changed: ${{ steps.check.outputs.changed }}
       version: ${{ steps.check.outputs.version }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 0
 
@@ -38,10 +38,10 @@ jobs:
     runs-on: ubuntu-latest
     environment: npm
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: '24'
           cache: 'npm'
@@ -61,7 +61,7 @@ jobs:
     steps:
       - name: Generate GitHub App token
         id: dispatch-token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
         with:
           app-id: ${{ vars.GENERIC_CI_RW_APP_ID }}
           private-key: ${{ secrets.GENERIC_CI_RW_APP_PRIVATE_KEY }}
@@ -70,7 +70,7 @@ jobs:
             vscode-motoko
 
       - name: Trigger vscode-motoko (bump motoko npm in extension)
-        uses: peter-evans/repository-dispatch@v3
+        uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3
         with:
           token: ${{ steps.dispatch-token.outputs.token }}
           repository: caffeinelabs/vscode-motoko

From d4c0695165b1d33577eea65d5f9728255e207004 Mon Sep 17 00:00:00 2001
From: slawomirbabicz <111378977+slawomirbabicz@users.noreply.github.com>
Date: Fri, 10 Apr 2026 16:19:04 +0200
Subject: [PATCH 2/4] chore: pin actions to SHA in .github/workflows/size.yml

---
 .github/workflows/size.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/size.yml b/.github/workflows/size.yml
index c968db0..e6b2e00 100644
--- a/.github/workflows/size.yml
+++ b/.github/workflows/size.yml
@@ -6,8 +6,8 @@ jobs:
     env:
       CI_JOB_NUMBER: 1
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - run: npm ci
-      - uses: andresz1/size-limit-action@v1
+      - uses: andresz1/size-limit-action@e7493a72a44b113341c0cf6186ab49c17c4b65c1 # v1.6.1
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}

From 7b986e31e4dffa649ebc5bbe797345191bc867b5 Mon Sep 17 00:00:00 2001
From: slawomirbabicz <111378977+slawomirbabicz@users.noreply.github.com>
Date: Fri, 10 Apr 2026 16:19:06 +0200
Subject: [PATCH 3/4] chore: pin actions to SHA in .github/workflows/tests.yml

---
 .github/workflows/tests.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index b11f806..57ee685 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -20,9 +20,9 @@ jobs:
         # See supported Node.js release schedule at https://nodejs.org/en/about/releases/
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
     - name: Use Node.js ${{ matrix.node-version }}
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
       with:
         node-version: ${{ matrix.node-version }}
         cache: 'npm'

From 114fa186a1a5c4d6787466324c3e5f9b3349ed19 Mon Sep 17 00:00:00 2001
From: slawomirbabicz <111378977+slawomirbabicz@users.noreply.github.com>
Date: Fri, 10 Apr 2026 16:19:08 +0200
Subject: [PATCH 4/4] chore: pin actions to SHA in
 .github/workflows/update-moc.yml

---
 .github/workflows/update-moc.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/update-moc.yml b/.github/workflows/update-moc.yml
index a125768..a0a5924 100644
--- a/.github/workflows/update-moc.yml
+++ b/.github/workflows/update-moc.yml
@@ -32,10 +32,10 @@ jobs:
   update-moc:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: '24'
           cache: 'npm'
@@ -94,13 +94,13 @@ jobs:
 
       - name: Generate GitHub App token
         id: app-token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
         with:
           app-id: ${{ vars.GENERIC_CI_RW_APP_ID }}
           private-key: ${{ secrets.GENERIC_CI_RW_APP_PRIVATE_KEY }}
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11
         with:
           token: ${{ steps.app-token.outputs.token }}
           branch: auto/moc-${{ steps.versions.outputs.moc_version }}