From c1449598ab622a940e0ff5eb9a0e20478b94ba3e Mon Sep 17 00:00:00 2001
From: anupsv <6407789+anupsv@users.noreply.github.com>
Date: Wed, 15 Apr 2026 13:24:38 -0700
Subject: [PATCH] fix(security): SHA-pin GitHub Actions in workflow files

Pin pnpm/action-setup and actions/setup-node to commit SHAs to prevent
supply chain attacks via tag mutation. actions/checkout was already pinned.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release-dev.yml  | 4 ++--
 .github/workflows/release-prod.yml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release-dev.yml b/.github/workflows/release-dev.yml
index d036cfe6..e3e18505 100644
--- a/.github/workflows/release-dev.yml
+++ b/.github/workflows/release-dev.yml
@@ -41,12 +41,12 @@ jobs:
           echo "Building dev version: $PACKAGE_VERSION"
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0
         with:
           version: 9
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: ${{ env.NODE_VERSION }}
           registry-url: "https://registry.npmjs.org"
diff --git a/.github/workflows/release-prod.yml b/.github/workflows/release-prod.yml
index 952dae1a..33352058 100644
--- a/.github/workflows/release-prod.yml
+++ b/.github/workflows/release-prod.yml
@@ -89,12 +89,12 @@ jobs:
           fi
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0
         with:
           version: 9
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: ${{ env.NODE_VERSION }}
           registry-url: "https://registry.npmjs.org"