From 2d75168f37aef906ec0a4100e5f1d26234f8b253 Mon Sep 17 00:00:00 2001
From: HeavenVR <contact@heavenvr.tech>
Date: Wed, 6 May 2026 21:40:57 +0200
Subject: [PATCH] pin actions

---
 .github/actions/build-compilationdb/action.yml |  6 +++---
 .github/actions/build-firmware/action.yml      |  8 ++++----
 .github/actions/build-frontend/action.yml      |  8 ++++----
 .github/actions/build-staticfs/action.yml      | 10 +++++-----
 .github/actions/cdn-upload-firmware/action.yml |  6 +++---
 .github/actions/merge-partitions/action.yml    | 10 +++++-----
 .github/workflows/ci-build.yml                 | 18 +++++++++---------
 .github/workflows/codeql.yml                   | 14 +++++++-------
 .github/workflows/cpp-linter.yml               |  4 ++--
 .github/workflows/get-vars.yml                 |  6 +++---
 10 files changed, 45 insertions(+), 45 deletions(-)

diff --git a/.github/actions/build-compilationdb/action.yml b/.github/actions/build-compilationdb/action.yml
index 6c477a42..ab129f78 100644
--- a/.github/actions/build-compilationdb/action.yml
+++ b/.github/actions/build-compilationdb/action.yml
@@ -12,10 +12,10 @@ inputs:
 runs:
   using: composite
   steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       if: ${{ !inputs.skip-checkout }}
 
-    - uses: actions/cache@v5
+    - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae  # v5.0.5
       with:
         path: |
           ~/.platformio/platforms
@@ -23,7 +23,7 @@ runs:
           ~/.platformio/.cache
         key: pio-${{ runner.os }}-${{ hashFiles('platformio.ini', 'requirements.txt') }}
 
-    - uses: actions/setup-python@v6
+    - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
       with:
         cache: 'pip'
 
diff --git a/.github/actions/build-firmware/action.yml b/.github/actions/build-firmware/action.yml
index 95ef8540..e56bf2ae 100644
--- a/.github/actions/build-firmware/action.yml
+++ b/.github/actions/build-firmware/action.yml
@@ -15,10 +15,10 @@ inputs:
 runs:
   using: composite
   steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       if: ${{ !inputs.skip-checkout }}
 
-    - uses: actions/cache@v5
+    - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae  # v5.0.5
       with:
         path: |
           .pio/libdeps
@@ -27,7 +27,7 @@ runs:
           ~/.platformio/.cache
         key: pio-${{ runner.os }}-${{ hashFiles('platformio.ini', 'requirements.txt') }}
 
-    - uses: actions/setup-python@v6
+    - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
       with:
         cache: 'pip'
 
@@ -46,7 +46,7 @@ runs:
         OPENSHOCK_FW_BUILD_DATE: ${{ github.event.head_commit.timestamp }}
 
     - name: Upload build artifacts
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
       with:
         name: firmware_build_${{ inputs.board }}
         path: .pio/build/${{ inputs.board }}/*.bin
diff --git a/.github/actions/build-frontend/action.yml b/.github/actions/build-frontend/action.yml
index 50df00b2..3bcec2eb 100644
--- a/.github/actions/build-frontend/action.yml
+++ b/.github/actions/build-frontend/action.yml
@@ -8,20 +8,20 @@ inputs:
 runs:
   using: composite
   steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       if: ${{ !inputs.skip-checkout }}
       with:
         sparse-checkout: |
           frontend
         path: ${{ github.repository }}
 
-    - uses: pnpm/action-setup@v5
+    - uses: pnpm/action-setup@8912a9102ac27614460f54aedde9e1e7f9aec20d  # v6.0.5
       name: Install pnpm
       with:
         package_json_file: ./frontend/package.json
         run_install: false
 
-    - uses: actions/setup-node@v6
+    - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
       with:
         node-version-file: ./frontend/package.json
         cache: 'pnpm'
@@ -54,7 +54,7 @@ runs:
       run: pnpm run build
 
     - name: Upload artifacts
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
       with:
         name: frontend
         path: frontend/build/*
diff --git a/.github/actions/build-staticfs/action.yml b/.github/actions/build-staticfs/action.yml
index fdaed92f..e7571f50 100644
--- a/.github/actions/build-staticfs/action.yml
+++ b/.github/actions/build-staticfs/action.yml
@@ -12,10 +12,10 @@ inputs:
 runs:
   using: composite
   steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       if: ${{ !inputs.skip-checkout }}
 
-    - uses: actions/cache@v5
+    - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae  # v5.0.5
       with:
         path: |
           ~/.platformio/platforms
@@ -23,7 +23,7 @@ runs:
           ~/.platformio/.cache
         key: pio-${{ runner.os }}-${{ hashFiles('platformio.ini', 'requirements.txt') }}
 
-    - uses: actions/setup-python@v6
+    - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
       with:
         cache: 'pip'
 
@@ -32,7 +32,7 @@ runs:
       run: pip install -r requirements.txt
 
     - name: Download built frontend
-      uses: actions/download-artifact@v8
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
       with:
         name: frontend
         path: frontend/build/
@@ -51,7 +51,7 @@ runs:
       run: mv .pio/build/fs/littlefs.bin staticfs.bin
 
     - name: Upload internal filesystem artifact
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
       with:
         name: firmware_staticfs
         path: staticfs.bin
diff --git a/.github/actions/cdn-upload-firmware/action.yml b/.github/actions/cdn-upload-firmware/action.yml
index ea9531db..d58fdcf1 100644
--- a/.github/actions/cdn-upload-firmware/action.yml
+++ b/.github/actions/cdn-upload-firmware/action.yml
@@ -21,19 +21,19 @@ runs:
   using: composite
   steps:
     - name: Download static filesystem partition
-      uses: actions/download-artifact@v8
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
       with:
         name: firmware_staticfs
         path: .
 
     - name: Download firmware partitions
-      uses: actions/download-artifact@v8
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
       with:
         name: firmware_build_${{ inputs.board }}
         path: .
 
     - name: Download merged firmware binary
-      uses: actions/download-artifact@v8
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
       with:
         name: firmware_merged_${{ inputs.board }}
         path: .
diff --git a/.github/actions/merge-partitions/action.yml b/.github/actions/merge-partitions/action.yml
index 6f1071bf..5ad56482 100644
--- a/.github/actions/merge-partitions/action.yml
+++ b/.github/actions/merge-partitions/action.yml
@@ -15,7 +15,7 @@ inputs:
 runs:
   using: composite
   steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       if: ${{ !inputs.skip-checkout }}
       with:
         sparse-checkout: |
@@ -23,7 +23,7 @@ runs:
           boards
           chips
 
-    - uses: actions/setup-python@v6
+    - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
       with:
         cache: 'pip'
 
@@ -32,12 +32,12 @@ runs:
       run: pip install -r requirements.txt
 
     - name: Download static filesystem partition
-      uses: actions/download-artifact@v8
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
       with:
         name: firmware_staticfs
 
     - name: Download firmware partitions
-      uses: actions/download-artifact@v8
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
       with:
         name: firmware_build_${{ inputs.board }}
 
@@ -48,7 +48,7 @@ runs:
         mv merged.bin OpenShock_${{ inputs.board }}_${{ inputs.version }}.bin
 
     - name: Upload merged firmware binary
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
       with:
         name: firmware_merged_${{ inputs.board }}
         path: OpenShock_${{ inputs.board }}_*.bin
diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml
index 634d8ea7..e7157f55 100644
--- a/.github/workflows/ci-build.yml
+++ b/.github/workflows/ci-build.yml
@@ -33,7 +33,7 @@ jobs:
     timeout-minutes: 5
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           sparse-checkout: |
             .github
@@ -47,7 +47,7 @@ jobs:
     timeout-minutes: 5
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       - uses: ./.github/actions/build-staticfs
         with:
           version: ${{ needs.getvars.outputs.version }}
@@ -62,7 +62,7 @@ jobs:
       matrix: ${{ fromJSON(needs.getvars.outputs.board-matrix) }}
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - uses: ./.github/actions/build-firmware
         with:
@@ -79,7 +79,7 @@ jobs:
       matrix: ${{ fromJSON(needs.getvars.outputs.board-matrix) }}
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           sparse-checkout: |
             .github
@@ -111,7 +111,7 @@ jobs:
       matrix: ${{ fromJson(needs.getvars.outputs.board-matrix) }}
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           sparse-checkout: |
             .github
@@ -138,7 +138,7 @@ jobs:
     environment: cdn-firmware-r2
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           sparse-checkout: |
             .github
@@ -165,7 +165,7 @@ jobs:
     environment: cdn-firmware-r2
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           sparse-checkout: |
             .github
@@ -201,13 +201,13 @@ jobs:
 
     steps:
       - name: Download release artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
 
       - name: Display artifacts
         run: ls -R
 
       - name: Release
-        uses: ncipollo/release-action@v1
+        uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd  # v1.21.0
         with:
           artifacts: '**/OpenShock_*.bin'
           tag: ${{ needs.getvars.outputs.version }}
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 4298548c..a5ec1885 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -42,21 +42,21 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7  # v4.35.3
         with:
           languages: ${{ matrix.language }}
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v4
+        uses: github/codeql-action/autobuild@e46ed2cbd01164d986452f91f178727624ae40d7  # v4.35.3
 
       # Build stuff here
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7  # v4.35.3
         with:
           category: '/language:${{matrix.language}}'
 
@@ -76,10 +76,10 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7  # v4.35.3
         with:
           languages: ${{ env.language }}
 
@@ -90,6 +90,6 @@ jobs:
           version: ${{ needs.get-vars.outputs.version }}
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7  # v4.35.3
         with:
           category: '/language:${{ env.language }}'
diff --git a/.github/workflows/cpp-linter.yml b/.github/workflows/cpp-linter.yml
index e55fb943..1a399226 100644
--- a/.github/workflows/cpp-linter.yml
+++ b/.github/workflows/cpp-linter.yml
@@ -28,14 +28,14 @@ jobs:
     
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - uses: ./.github/actions/build-compilationdb
         with:
           version: 0.0.0-test+build # Doesn't matter, just need the compilation database
           skip-checkout: true
       
-      - uses: cpp-linter/cpp-linter-action@v2
+      - uses: cpp-linter/cpp-linter-action@77c390c5ba9c947ebc185a3e49cc754f1558abb5  # v2.18.0
         id: linter
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/get-vars.yml b/.github/workflows/get-vars.yml
index e5e78373..d5047e9f 100644
--- a/.github/workflows/get-vars.yml
+++ b/.github/workflows/get-vars.yml
@@ -78,19 +78,19 @@ jobs:
       release-dev-array: ${{ steps.get-vars.outputs.release-dev-array }}
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           fetch-depth: 0
           sparse-checkout: |
             .github
 
-      - uses: pnpm/action-setup@v5
+      - uses: pnpm/action-setup@8912a9102ac27614460f54aedde9e1e7f9aec20d  # v6.0.5
         name: Install pnpm
         with:
           package_json_file: ./.github/scripts/package.json
           run_install: false
 
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
           node-version-file: ./.github/scripts/package.json
           cache: 'pnpm'