From b69d311da83485ac7f94e6638459f57890758fae Mon Sep 17 00:00:00 2001
From: Chris Nyhuis <cnyhuis@vigilantnow.com>
Date: Thu, 26 Mar 2026 01:12:25 -0400
Subject: [PATCH] fix: pin 10 unpinned action(s),extract 6 unsafe expression(s)
 to env vars

Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard).

Changes:
 .github/workflows/compiler_discord_notify.yml      |  2 +-
 .github/workflows/compiler_prereleases_manual.yml  |  2 +-
 .github/workflows/compiler_prereleases_nightly.yml |  2 +-
 .github/workflows/devtools_discord_notify.yml      |  2 +-
 .github/workflows/devtools_regression_tests.yml    |  4 +++-
 .github/workflows/runtime_build_and_test.yml       | 12 +++++++++---
 .github/workflows/runtime_commit_artifacts.yml     |  4 +++-
 .github/workflows/runtime_discord_notify.yml       |  2 +-
 .github/workflows/runtime_prereleases.yml          |  4 +++-
 .github/workflows/runtime_prereleases_manual.yml   |  4 ++--
 .github/workflows/runtime_prereleases_nightly.yml  |  4 ++--
 .github/workflows/shared_label_core_team_prs.yml   |  2 +-
 12 files changed, 28 insertions(+), 16 deletions(-)
---
 .github/workflows/compiler_discord_notify.yml      |  2 +-
 .github/workflows/compiler_prereleases_manual.yml  |  2 +-
 .github/workflows/compiler_prereleases_nightly.yml |  2 +-
 .github/workflows/devtools_discord_notify.yml      |  2 +-
 .github/workflows/devtools_regression_tests.yml    |  4 +++-
 .github/workflows/runtime_build_and_test.yml       | 12 +++++++++---
 .github/workflows/runtime_commit_artifacts.yml     |  4 +++-
 .github/workflows/runtime_discord_notify.yml       |  2 +-
 .github/workflows/runtime_prereleases.yml          |  4 +++-
 .github/workflows/runtime_prereleases_manual.yml   |  4 ++--
 .github/workflows/runtime_prereleases_nightly.yml  |  4 ++--
 .github/workflows/shared_label_core_team_prs.yml   |  2 +-
 12 files changed, 28 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/compiler_discord_notify.yml b/.github/workflows/compiler_discord_notify.yml
index 5a57cf6a32c1..2209bcb402a2 100644
--- a/.github/workflows/compiler_discord_notify.yml
+++ b/.github/workflows/compiler_discord_notify.yml
@@ -25,7 +25,7 @@ jobs:
   check_maintainer:
     if: ${{ needs.check_access.outputs.is_member_or_collaborator == 'true' || needs.check_access.outputs.is_member_or_collaborator == true }}
     needs: [check_access]
-    uses: facebook/react/.github/workflows/shared_check_maintainer.yml@main
+    uses: facebook/react/.github/workflows/shared_check_maintainer.yml@3cb2c42013eda273ac449126ab9fcc115a09d39d # main
     permissions:
       # Used by check_maintainer
       contents: read
diff --git a/.github/workflows/compiler_prereleases_manual.yml b/.github/workflows/compiler_prereleases_manual.yml
index c4a7a16aca3b..24fe3074509a 100644
--- a/.github/workflows/compiler_prereleases_manual.yml
+++ b/.github/workflows/compiler_prereleases_manual.yml
@@ -29,7 +29,7 @@ env:
 jobs:
   publish_prerelease_experimental:
     name: Publish to Experimental channel
-    uses: facebook/react/.github/workflows/compiler_prereleases.yml@main
+    uses: facebook/react/.github/workflows/compiler_prereleases.yml@3cb2c42013eda273ac449126ab9fcc115a09d39d # main
     with:
       commit_sha: ${{ inputs.prerelease_commit_sha || github.sha }}
       release_channel: ${{ inputs.release_channel }}
diff --git a/.github/workflows/compiler_prereleases_nightly.yml b/.github/workflows/compiler_prereleases_nightly.yml
index ca2b5589def2..2161e9707575 100644
--- a/.github/workflows/compiler_prereleases_nightly.yml
+++ b/.github/workflows/compiler_prereleases_nightly.yml
@@ -13,7 +13,7 @@ env:
 jobs:
   publish_prerelease_experimental:
     name: Publish to Experimental channel
-    uses: facebook/react/.github/workflows/compiler_prereleases.yml@main
+    uses: facebook/react/.github/workflows/compiler_prereleases.yml@3cb2c42013eda273ac449126ab9fcc115a09d39d # main
     with:
       commit_sha: ${{ github.sha }}
       release_channel: experimental
diff --git a/.github/workflows/devtools_discord_notify.yml b/.github/workflows/devtools_discord_notify.yml
index bb498f003710..acee2e426b7d 100644
--- a/.github/workflows/devtools_discord_notify.yml
+++ b/.github/workflows/devtools_discord_notify.yml
@@ -25,7 +25,7 @@ jobs:
   check_maintainer:
     if: ${{ needs.check_access.outputs.is_member_or_collaborator == 'true' || needs.check_access.outputs.is_member_or_collaborator == true }}
     needs: [check_access]
-    uses: facebook/react/.github/workflows/shared_check_maintainer.yml@main
+    uses: facebook/react/.github/workflows/shared_check_maintainer.yml@3cb2c42013eda273ac449126ab9fcc115a09d39d # main
     permissions:
       # Used by check_maintainer
       contents: read
diff --git a/.github/workflows/devtools_regression_tests.yml b/.github/workflows/devtools_regression_tests.yml
index 9fe0c55e0bd0..68a58ed637b0 100644
--- a/.github/workflows/devtools_regression_tests.yml
+++ b/.github/workflows/devtools_regression_tests.yml
@@ -46,7 +46,9 @@ jobs:
       - name: Download react-devtools artifacts for base revision
         run: |
           git fetch origin main
-          GH_TOKEN=${{ github.token }} scripts/release/download-experimental-build.js --commit=${{ inputs.commit_sha || '$(git rev-parse origin/main)' }}
+          GH_TOKEN=${GITHUB_TOKEN} scripts/release/download-experimental-build.js --commit=${{ inputs.commit_sha || '$(git rev-parse origin/main)' }}
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
       - name: Display structure of build
         run: ls -R build
       - name: Archive build
diff --git a/.github/workflows/runtime_build_and_test.yml b/.github/workflows/runtime_build_and_test.yml
index 3eec5f90bee3..4623bde4d9f4 100644
--- a/.github/workflows/runtime_build_and_test.yml
+++ b/.github/workflows/runtime_build_and_test.yml
@@ -531,7 +531,9 @@ jobs:
           merge-multiple: true
       - name: Display structure of build
         run: ls -R build
-      - run: echo ${{ github.event.inputs.commit_sha != '' && github.event.inputs.commit_sha || github.event.pull_request.head.sha || github.sha }} >> build/COMMIT_SHA
+      - run: echo ${INPUT_COMMIT_SHA} >> build/COMMIT_SHA
+        env:
+          INPUT_COMMIT_SHA: ${{ github.event.inputs.commit_sha != '' && github.event.inputs.commit_sha || github.event.pull_request.head.sha || github.sha }}
       - name: Scrape warning messages
         run: |
           mkdir -p ./build/__test_utils__
@@ -899,8 +901,10 @@ jobs:
         # unverified artifact is not used. Additionally this workflow runs in the pull_request
         # trigger so only restricted permissions are available.
         run: |
-          GH_TOKEN=${{ github.token }} scripts/release/download-experimental-build.js --commit=$(git rev-parse ${{ github.event.pull_request.base.sha }}) ${{ (github.event.pull_request.head.repo.full_name != github.repository && '--noVerify') || ''}}
+          GH_TOKEN=${GITHUB_TOKEN} scripts/release/download-experimental-build.js --commit=$(git rev-parse ${{ github.event.pull_request.base.sha }}) ${{ (github.event.pull_request.head.repo.full_name != github.repository && '--noVerify') || ''}}
           mv ./build ./base-build
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
       - name: Delete extraneous files
         # TODO: The `download-experimental-build` script copies the npm
         # packages into the `node_modules` directory. This is a historical
@@ -923,7 +927,9 @@ jobs:
           node ./scripts/print-warnings/print-warnings.js > build/__test_utils__/ReactAllWarnings.js
       - name: Display structure of build for PR
         run: ls -R build
-      - run: echo ${{ github.event.inputs.commit_sha != '' && github.event.inputs.commit_sha || github.event.pull_request.head.sha || github.sha }} >> build/COMMIT_SHA
+      - run: echo ${INPUT_COMMIT_SHA} >> build/COMMIT_SHA
+        env:
+          INPUT_COMMIT_SHA: ${{ github.event.inputs.commit_sha != '' && github.event.inputs.commit_sha || github.event.pull_request.head.sha || github.sha }}
       - run: node ./scripts/tasks/danger
       - name: Archive sizebot results
         uses: actions/upload-artifact@v4
diff --git a/.github/workflows/runtime_commit_artifacts.yml b/.github/workflows/runtime_commit_artifacts.yml
index 11a22e6c2a4c..ae7d713f34e0 100644
--- a/.github/workflows/runtime_commit_artifacts.yml
+++ b/.github/workflows/runtime_commit_artifacts.yml
@@ -52,7 +52,9 @@ jobs:
         if: steps.node_modules.outputs.cache-hit != 'true'
       - name: Download artifacts for base revision
         run: |
-          GH_TOKEN=${{ github.token }} scripts/release/download-experimental-build.js --commit=${{ inputs.commit_sha || github.event.workflow_run.head_sha || github.sha }}
+          GH_TOKEN=${GITHUB_TOKEN} scripts/release/download-experimental-build.js --commit=${{ inputs.commit_sha || github.event.workflow_run.head_sha || github.sha }}
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
       - name: Display structure of build
         run: ls -R build
       - name: Archive build
diff --git a/.github/workflows/runtime_discord_notify.yml b/.github/workflows/runtime_discord_notify.yml
index ae9930adf114..99c706d12dba 100644
--- a/.github/workflows/runtime_discord_notify.yml
+++ b/.github/workflows/runtime_discord_notify.yml
@@ -27,7 +27,7 @@ jobs:
   check_maintainer:
     if: ${{ needs.check_access.outputs.is_member_or_collaborator == 'true' || needs.check_access.outputs.is_member_or_collaborator == true }}
     needs: [check_access]
-    uses: facebook/react/.github/workflows/shared_check_maintainer.yml@main
+    uses: facebook/react/.github/workflows/shared_check_maintainer.yml@3cb2c42013eda273ac449126ab9fcc115a09d39d # main
     permissions:
       # Used by check_maintainer
       contents: read
diff --git a/.github/workflows/runtime_prereleases.yml b/.github/workflows/runtime_prereleases.yml
index 6559b1449971..3c87ba7750ff 100644
--- a/.github/workflows/runtime_prereleases.yml
+++ b/.github/workflows/runtime_prereleases.yml
@@ -74,7 +74,9 @@ jobs:
         if: steps.node_modules.outputs.cache-hit != 'true'
       - run: cp ./scripts/release/ci-npmrc ~/.npmrc
       - run: |
-          GH_TOKEN=${{ secrets.GH_TOKEN }} scripts/release/prepare-release-from-ci.js --skipTests -r ${{ inputs.release_channel }} --commit=${{ inputs.commit_sha }}
+          GH_TOKEN=${GH_TOKEN} scripts/release/prepare-release-from-ci.js --skipTests -r ${{ inputs.release_channel }} --commit=${{ inputs.commit_sha }}
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
       - name: Check prepared files
         run: ls -R build/node_modules
       - if: '${{ inputs.only_packages }}'
diff --git a/.github/workflows/runtime_prereleases_manual.yml b/.github/workflows/runtime_prereleases_manual.yml
index 407d931e9073..cec6709f1b8e 100644
--- a/.github/workflows/runtime_prereleases_manual.yml
+++ b/.github/workflows/runtime_prereleases_manual.yml
@@ -52,7 +52,7 @@ jobs:
   publish_prerelease_canary:
     if: ${{ !inputs.experimental_only }}
     name: Publish to Canary channel
-    uses: facebook/react/.github/workflows/runtime_prereleases.yml@main
+    uses: facebook/react/.github/workflows/runtime_prereleases.yml@3cb2c42013eda273ac449126ab9fcc115a09d39d # main
     permissions:
       # We use github.token to download the build artifact from a previous runtime_build_and_test.yml run
       actions: read
@@ -79,7 +79,7 @@ jobs:
 
   publish_prerelease_experimental:
     name: Publish to Experimental channel
-    uses: facebook/react/.github/workflows/runtime_prereleases.yml@main
+    uses: facebook/react/.github/workflows/runtime_prereleases.yml@3cb2c42013eda273ac449126ab9fcc115a09d39d # main
     permissions:
       # We use github.token to download the build artifact from a previous runtime_build_and_test.yml run
       actions: read
diff --git a/.github/workflows/runtime_prereleases_nightly.yml b/.github/workflows/runtime_prereleases_nightly.yml
index f13a92e46f40..867c3fd8640c 100644
--- a/.github/workflows/runtime_prereleases_nightly.yml
+++ b/.github/workflows/runtime_prereleases_nightly.yml
@@ -13,7 +13,7 @@ env:
 jobs:
   publish_prerelease_canary:
     name: Publish to Canary channel
-    uses: facebook/react/.github/workflows/runtime_prereleases.yml@main
+    uses: facebook/react/.github/workflows/runtime_prereleases.yml@3cb2c42013eda273ac449126ab9fcc115a09d39d # main
     permissions:
       # We use github.token to download the build artifact from a previous runtime_build_and_test.yml run
       actions: read
@@ -30,7 +30,7 @@ jobs:
 
   publish_prerelease_experimental:
     name: Publish to Experimental channel
-    uses: facebook/react/.github/workflows/runtime_prereleases.yml@main
+    uses: facebook/react/.github/workflows/runtime_prereleases.yml@3cb2c42013eda273ac449126ab9fcc115a09d39d # main
     permissions:
       # We use github.token to download the build artifact from a previous runtime_build_and_test.yml run
       actions: read
diff --git a/.github/workflows/shared_label_core_team_prs.yml b/.github/workflows/shared_label_core_team_prs.yml
index cc10e87dcc2c..c155e87d3add 100644
--- a/.github/workflows/shared_label_core_team_prs.yml
+++ b/.github/workflows/shared_label_core_team_prs.yml
@@ -26,7 +26,7 @@ jobs:
   check_maintainer:
     if: ${{ needs.check_access.outputs.is_member_or_collaborator == 'true' || needs.check_access.outputs.is_member_or_collaborator == true }}
     needs: [check_access]
-    uses: facebook/react/.github/workflows/shared_check_maintainer.yml@main
+    uses: facebook/react/.github/workflows/shared_check_maintainer.yml@3cb2c42013eda273ac449126ab9fcc115a09d39d # main
     permissions:
       # Used by check_maintainer
       contents: read