From 1f0c43e0791b2cc4efc1d5de835f71d1bcd846c9 Mon Sep 17 00:00:00 2001
From: Marius Volkhart <marius.volkhart@pkware.com>
Date: Thu, 30 Apr 2026 09:23:39 -0400
Subject: [PATCH] Pin GitHub Actions to full commit SHAs

Replace floating version tags with pinned commit SHAs to prevent
supply chain attacks. Each action retains its version tag as a
comment for readability.
---
 .github/workflows/ci.yml      | 6 +++---
 .github/workflows/publish.yml | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1b6b16b..f4c619d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -15,10 +15,10 @@ jobs:
     timeout-minutes: 30
 
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
     - name: Set up JDK
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         java-version: 8
         distribution: 'temurin'
@@ -30,7 +30,7 @@ jobs:
 
     - name: Upload Test Results
       if: always()
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: Test Results Linux
         path: '**/test-results/**/*.xml'
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 02e0b79..385fc76 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -10,10 +10,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Set up JDK
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
         with:
           java-version: 11
           distribution: 'temurin'