From c3ed969afa1178f2f1701c95aa05b063c34dc2a7 Mon Sep 17 00:00:00 2001
From: GaltRanch <bruno@nexocore.uy>
Date: Sun, 24 May 2026 12:01:59 -0300
Subject: [PATCH] ci: pin third-party Actions to commit SHAs (CWE-829)

Signed-off-by: GaltRanch <bruno@nexocore.uy>
---
 .github/workflows/build-osal-documentation.yml | 2 +-
 .github/workflows/mcdc.yml                     | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build-osal-documentation.yml b/.github/workflows/build-osal-documentation.yml
index 09aa7aa12..8de427401 100644
--- a/.github/workflows/build-osal-documentation.yml
+++ b/.github/workflows/build-osal-documentation.yml
@@ -22,7 +22,7 @@ jobs:
       should_skip: ${{ steps.skip_check.outputs.should_skip }}
     steps:
       - id: skip_check
-        uses: fkirc/skip-duplicate-actions@master
+        uses: fkirc/skip-duplicate-actions@04a1aebece824b56e6ad6a401d015479cd1c50b3 # master
         with:
           concurrent_skipping: 'same_content'
           skip_after_successful_duplicate: 'true'
diff --git a/.github/workflows/mcdc.yml b/.github/workflows/mcdc.yml
index 993d72fdd..8f3ba07f5 100644
--- a/.github/workflows/mcdc.yml
+++ b/.github/workflows/mcdc.yml
@@ -31,7 +31,7 @@ jobs:
       should_skip: ${{ steps.skip_check.outputs.should_skip }}
     steps:
       - id: skip_check
-        uses: fkirc/skip-duplicate-actions@master
+        uses: fkirc/skip-duplicate-actions@04a1aebece824b56e6ad6a401d015479cd1c50b3 # master
         with:
           concurrent_skipping: 'same_content'
           skip_after_successful_duplicate: 'true'
@@ -141,7 +141,7 @@ jobs:
 
       - name: Download latest main branch artifact
         continue-on-error: true
-        uses: dawidd6/action-download-artifact@v2
+        uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e # v2
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           workflow: mcdc-internal.yml