From 5b90292bdcdee6b285e94084491ca703ab85c5a5 Mon Sep 17 00:00:00 2001
From: Jesse Hills <3060199+jesserockz@users.noreply.github.com>
Date: Mon, 13 Apr 2026 20:35:34 +1200
Subject: [PATCH] Pin GitHub Actions to commit SHAs

Replace mutable tag references with immutable commit SHAs
to prevent supply-chain attacks via compromised tags.
Version comments are preserved for readability.
---
 .github/workflows/publish.yml | 4 ++--
 .github/workflows/push.yml    | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index accf6959..d0dceec1 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -8,9 +8,9 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4.1.7
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
       - name: Set up Python
-        uses: actions/setup-python@v5.2.0
+        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3  # v5.2.0
         with:
           python-version: '3.x'
       - name: Install platformio
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index b7b62c69..a153f779 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -14,8 +14,8 @@ jobs:
       matrix:
         os: [ubuntu-latest]
     steps:
-      - uses: actions/checkout@v3
-      - uses: arduino/setup-arduino-cli@v1
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744  # v3.6.0
+      - uses: arduino/setup-arduino-cli@28065f7e0317cc0dde372e0c11631963d743ee3b  # v1.1.2
       - name: Download board
         run: |
           arduino-cli --config-file arduino-cli.yaml core update-index