From b9344b59b10c32045030e04ffee053f34d8eae88 Mon Sep 17 00:00:00 2001
From: Call Telemetry <57885211+calltelemetry-jason@users.noreply.github.com>
Date: Fri, 29 May 2026 15:07:09 -0300
Subject: [PATCH] ci: pin GitHub Actions to commit SHAs

Pin actions/checkout, actions/setup-node, and codecov-action to full
commit SHAs (matching the pins used across the cisco-*-mcp repos) so the
repo can enforce sha_pinning_required (action hash lock).
---
 .github/workflows/ci.yml          | 6 +++---
 .github/workflows/npm-publish.yml | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 527fed1..c963fa9 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -16,9 +16,9 @@ jobs:
     timeout-minutes: 10
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 24
           cache: npm
@@ -41,7 +41,7 @@ jobs:
 
       - name: Upload coverage to Codecov
         if: always()
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5
         with:
           files: ./coverage/lcov.info
           fail_ci_if_error: false
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index 92b07ea..b76b9ea 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -15,9 +15,9 @@ jobs:
     timeout-minutes: 10
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 24
           registry-url: https://registry.npmjs.org