From e3703c3e08be242744d7f983fa55b5e17b340822 Mon Sep 17 00:00:00 2001
From: Oleksander Piskun <oleksandr2088@icloud.com>
Date: Tue, 27 Jan 2026 11:49:16 +0200
Subject: [PATCH] fix(CI): pin actions to hashes

Signed-off-by: Oleksander Piskun <oleksandr2088@icloud.com>
---
 .github/workflows/analysis-coverage.yml  | 4 ++--
 .github/workflows/publish-docker-cpu.yml | 8 ++++----
 .github/workflows/stale.yml              | 2 +-
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/analysis-coverage.yml b/.github/workflows/analysis-coverage.yml
index 35abcea..82bd662 100644
--- a/.github/workflows/analysis-coverage.yml
+++ b/.github/workflows/analysis-coverage.yml
@@ -18,8 +18,8 @@ jobs:
     name: Analysis
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: "3.10"
 
diff --git a/.github/workflows/publish-docker-cpu.yml b/.github/workflows/publish-docker-cpu.yml
index 4c0a0a1..4000ad5 100644
--- a/.github/workflows/publish-docker-cpu.yml
+++ b/.github/workflows/publish-docker-cpu.yml
@@ -54,12 +54,12 @@ jobs:
           npm run build
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
 
       - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -83,7 +83,7 @@ jobs:
           echo "Extracted version: ${{ env.VERSION }}"
 
       - name: Build container image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
         with:
           push: true
           context: ./${{ env.APP_NAME }}
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 12f63ee..59338a5 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -8,7 +8,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9
         with:
           stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.'
           days-before-stale: 30