From 3de08860664b94b092b5622611db313abb5d5a98 Mon Sep 17 00:00:00 2001
From: Riccardo Sarro <rsar@bendingspoons.com>
Date: Mon, 22 Jun 2026 12:04:35 +0200
Subject: [PATCH] fix: pin GitHub Actions to SHA for supply chain security

Co-authored-by: Cursor Agent <cursoragent@cursor.com>
---
 .github/workflows/phpunit.yml | 4 ++--
 .github/workflows/psalm.yml   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/phpunit.yml b/.github/workflows/phpunit.yml
index 8ff67292..d2d6fc7a 100644
--- a/.github/workflows/phpunit.yml
+++ b/.github/workflows/phpunit.yml
@@ -14,7 +14,7 @@ jobs:
       XDEBUG_MODE: off
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
 
     - name: Validate composer.json and composer.lock
       run: composer validate
@@ -25,7 +25,7 @@ jobs:
         echo "::set-output name=dir::$(composer config cache-files-dir)"
 
     - name: Cache Composer packages
-      uses: actions/cache@v4
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
       with:
         path: ${{ steps.composer-cache.outputs.dir }}
         key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
diff --git a/.github/workflows/psalm.yml b/.github/workflows/psalm.yml
index 87311635..61c0eb5c 100644
--- a/.github/workflows/psalm.yml
+++ b/.github/workflows/psalm.yml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
 
     - name: Get Composer Cache Directory
       id: composer-cache
@@ -19,7 +19,7 @@ jobs:
         echo "::set-output name=dir::$(composer config cache-files-dir)"
 
     - name: Cache Composer packages
-      uses: actions/cache@v4
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
       with:
         path: ${{ steps.composer-cache.outputs.dir }}
         key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}