From 80eb215fa3563e92e411d25c96428d887e6db28b Mon Sep 17 00:00:00 2001
From: Semgrep Autofix <autofix@semgrep.com>
Date: Fri, 20 Mar 2026 13:00:58 +0000
Subject: [PATCH 1/2] ci: Pin haskell-actions/setup to full commit SHA

Pin third-party GitHub Action to a full commit SHA for improved supply chain security.

## Changes
- Replace `haskell-actions/setup@v2` with `haskell-actions/setup@ec49483bfc012387b227434aba37f03a6e8ba9ed`
- Add version comment (`# v2`) to maintain visibility of the intended version

## Why
Pinning to a full commit SHA is the only way to use a GitHub Action as an immutable release. Version tags like `v2` can be moved by repository maintainers, potentially introducing malicious code. A full SHA pin ensures the exact same code runs on every workflow execution, mitigating supply chain attacks since an attacker would need to generate a SHA-1 collision for a valid Git object payload.

## Semgrep Finding Details
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

@pkaeding@launchdarkly.com requested Semgrep Assistant generate this pull request to fix [a finding](https://semgrep.dev/orgs/launchdarkly/findings/726904704).
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index aea87d4..64246fa 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -22,7 +22,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - uses: haskell-actions/setup@v2
+      - uses: haskell-actions/setup@ec49483bfc012387b227434aba37f03a6e8ba9ed # v2
         with:
           ghc-version: 8.10.7
           enable-stack: true

From 1adfcf87a08b6d7f0c7aeb786de3a6559a4e1183 Mon Sep 17 00:00:00 2001
From: "Matthew M. Keeler" <mkeeler@launchdarkly.com>
Date: Fri, 20 Mar 2026 15:51:33 -0400
Subject: [PATCH 2/2] Apply suggestion from @keelerm84

---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 64246fa..8b959ed 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -22,7 +22,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - uses: haskell-actions/setup@ec49483bfc012387b227434aba37f03a6e8ba9ed # v2
+      - uses: haskell-actions/setup@f9150cb1d140e9a9271700670baa38991e6fa25c # v2.10.3
         with:
           ghc-version: 8.10.7
           enable-stack: true