From 0b5c7fb87c56108896e9c2e2521351fa84a194f8 Mon Sep 17 00:00:00 2001
From: "dnastack-renovate[bot]"
 <209827418+dnastack-renovate[bot]@users.noreply.github.com>
Date: Thu, 9 Apr 2026 21:11:28 +0000
Subject: [PATCH] [CU-86b4umhm1] Pin dependencies

---
 .github/workflows/docker-build-push.yml |  6 +++---
 Dockerfile                              |  2 +-
 action.yml                              | 12 ++++++------
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml
index 8d95fca..806cec4 100644
--- a/.github/workflows/docker-build-push.yml
+++ b/.github/workflows/docker-build-push.yml
@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
       - name: prepare tags
@@ -29,12 +29,12 @@ jobs:
         id: buildx
         uses: docker/setup-buildx-action@master
       - name: login to dockerhub
-        uses: docker/login-action@v1
+        uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 # v1
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
       - name: build
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a # v2
         with:
           builder: ${{ steps.buildx.outputs.name }}
           context: .
diff --git a/Dockerfile b/Dockerfile
index f0fbee8..605d7f2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM python:3.11.0-slim-buster
+FROM python:3.11.0-slim-buster@sha256:730510eaec8fa02354a28b50f0d3f5635de439a566d59fc63c209791c40d3213
 
 RUN apt-get -qq update \
 	&& apt-get -qq install \
diff --git a/action.yml b/action.yml
index d624090..9d8ebd9 100644
--- a/action.yml
+++ b/action.yml
@@ -53,26 +53,26 @@ runs:
           echo "WDL_CI_CUSTOM_TEST_WDL_DIR"=${{ inputs.wdl-ci-custom-test-wdl-dir }} >> $GITHUB_ENV
         fi
     - name: lint
-      uses: docker://dnastack/wdl-ci:v2.1.0
+      uses: docker://dnastack/wdl-ci:v2.1.0@sha256:d6b2779446155ea677daa6242d18551d51fc05f5391a9a8fb111167f914a4f0c
       with:
         args: lint ${{ inputs.suppress-lint-errors && '--suppress-lint-errors' || '' }}
     - name: detect-changes
-      uses: docker://dnastack/wdl-ci:v2.1.0
+      uses: docker://dnastack/wdl-ci:v2.1.0@sha256:d6b2779446155ea677daa6242d18551d51fc05f5391a9a8fb111167f914a4f0c
       with:
         args: detect-changes
     - name: submit
-      uses: docker://dnastack/wdl-ci:v2.1.0
+      uses: docker://dnastack/wdl-ci:v2.1.0@sha256:d6b2779446155ea677daa6242d18551d51fc05f5391a9a8fb111167f914a4f0c
       with:
         args: submit
     - name: monitor
-      uses: docker://dnastack/wdl-ci:v2.1.0
+      uses: docker://dnastack/wdl-ci:v2.1.0@sha256:d6b2779446155ea677daa6242d18551d51fc05f5391a9a8fb111167f914a4f0c
       with:
         args: monitor --update-digests
       # If a test fails, still update task digests for any tests that succeeded
       # This allows fixing broken tests without rerunning successful runs
     - name: update-config
       if: always()
-      uses: EndBug/add-and-commit@v9
+      uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9
       with:
         add: ${{ inputs.config-file }}
         message: "update wdl-ci config file after successful tests"
@@ -80,6 +80,6 @@ runs:
         fetch: false
     - name: cleanup
       if: always()
-      uses: docker://dnastack/wdl-ci:v2.1.0
+      uses: docker://dnastack/wdl-ci:v2.1.0@sha256:d6b2779446155ea677daa6242d18551d51fc05f5391a9a8fb111167f914a4f0c
       with:
         args: cleanup