From 8d8f1b90733dd95a30d2c48a592f5b4ab04f4609 Mon Sep 17 00:00:00 2001
From: Aaron Sachs <aaron@sachshaus.net>
Date: Sun, 3 May 2026 21:33:32 -0400
Subject: [PATCH] chore(ci): pin GitHub Actions to commit SHAs

Replaces moving tag references with full commit SHAs and trailing semver
comments. Defends against tag-repointing supply-chain attacks if a third-
party action maintainer is compromised.
---
 .github/workflows/release.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c031ea6..766663d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -24,10 +24,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
 
       - name: Setup Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020  # v4.4.0
         with:
           node-version: ${{ matrix.node-version }}
           cache: 'npm'
@@ -53,12 +53,12 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
         with:
           fetch-depth: 0
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020  # v4.4.0
         with:
           node-version: '22.x'
           registry-url: 'https://npm.pkg.github.com'