From cf619f05562662134b8e0b3dc0c6b3f7785b48e6 Mon Sep 17 00:00:00 2001
From: Chris Nyhuis <cnyhuis@vigilantnow.com>
Date: Thu, 26 Mar 2026 12:05:33 -0400
Subject: [PATCH] fix: pin 1 unpinned action(s),extract 1 unsafe expression(s)
 to env vars

Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard).

Changes:
 .github/workflows/presubmit.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
---
 .github/workflows/presubmit.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/presubmit.yml b/.github/workflows/presubmit.yml
index bb0ed7e116ae..5845d4815e1d 100644
--- a/.github/workflows/presubmit.yml
+++ b/.github/workflows/presubmit.yml
@@ -17,11 +17,13 @@ jobs:
         steps:
             - name: Check required secrets
               run: |
-                  if [ -z "${{ secrets.LLM_API_KEY }}" ]; then
+                  if [ -z "${LLM_API_KEY}" ]; then
                     echo "Error: LLM_API_KEY secret is not configured"
                     exit 1
                   fi
-            - uses: presubmit/ai-reviewer@latest
+              env:
+                LLM_API_KEY: ${{ secrets.LLM_API_KEY }}
+            - uses: presubmit/ai-reviewer@5f1290b6142b14b44cd2e8e3ffda84cd0a22e94f # latest
               env:
                   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
                   LLM_API_KEY: ${{ secrets.LLM_API_KEY }}