From 9fdba87a19e1fcea441ab99c60e24c865b16b351 Mon Sep 17 00:00:00 2001
From: youngjk <yj42kim@gmail.com>
Date: Tue, 21 Apr 2026 11:12:20 -0400
Subject: [PATCH] SEC-178: pin GitHub Action refs to full SHAs

Pins all external actions in maven.yml, publish.yml, and test.yml to
full commit SHAs of their v5/v6/v9 tags as of 2026-04-21.

Required before the org-wide sha_pinning_required policy
(rootlyhq/terraform-rootly#891) lands.

SHAs:
  actions/checkout@v6      -> de0fac2e4500dabe0009e67214ff5f5447ce83dd
  actions/setup-java@v5    -> be666c2fcd27ec809703dec50e508c2fdc7f6654
  actions/github-script@v9 -> 3a2844b7e9c422d3c10d287c895573f7108da1b3

Linear: SEC-178 (follow-up to SEC-89).
---
 .github/workflows/maven.yml   | 4 ++--
 .github/workflows/publish.yml | 8 ++++----
 .github/workflows/test.yml    | 4 ++--
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml
index 514fb880..0091b0db 100644
--- a/.github/workflows/maven.yml
+++ b/.github/workflows/maven.yml
@@ -19,9 +19,9 @@ jobs:
       matrix:
         java: [ 17, 21 ]
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
     - name: Set up JDK
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         java-version: ${{ matrix.java }}
         distribution: 'temurin'
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 953f174d..13c99e42 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -12,12 +12,12 @@ jobs:
       contents: write
       packages: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
 
       - name: Set up JDK for Maven Central
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           java-version: '17'
           distribution: 'temurin'
@@ -39,7 +39,7 @@ jobs:
           MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
 
       - name: Set up JDK for GitHub Packages
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           java-version: '17'
           distribution: 'temurin'
@@ -77,7 +77,7 @@ jobs:
           } >> $GITHUB_OUTPUT
 
       - name: Create GitHub Release
-        uses: actions/github-script@v9
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index eb3a9d69..bdc3450d 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -9,9 +9,9 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Set up JDK
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           java-version: '17'
           distribution: 'temurin'