From 2c2e6fe2dc44b720f7376572d95ebe09fb519b32 Mon Sep 17 00:00:00 2001
From: Jimisola Laursen <jimisola.laursen@resurs.se>
Date: Sat, 7 Mar 2026 22:58:40 +0100
Subject: [PATCH 1/2] build: SHA-pin GitHub Actions for supply-chain security

Pin external action references to exact commit SHAs instead of
branch or major-version tags to prevent supply-chain attacks.

Signed-off-by: jimisola <jimisola@jimisola.com>
---
 .github/workflows/check-semantic-pr.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/check-semantic-pr.yml b/.github/workflows/check-semantic-pr.yml
index 5bacd57..dfb02a0 100644
--- a/.github/workflows/check-semantic-pr.yml
+++ b/.github/workflows/check-semantic-pr.yml
@@ -7,4 +7,4 @@ on:
 
 jobs:
   check:
-    uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@main
+    uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@33502e31f66fb7e982f48f50e3c6c29b0410a017 # main 2026-03-07

From a06ccd5b25d17a947481c021c7a5cb6de0fb2a3e Mon Sep 17 00:00:00 2001
From: Jimisola Laursen <jimisola@jimisola.com>
Date: Sun, 22 Mar 2026 17:40:53 +0100
Subject: [PATCH 2/2] Potential fix for code scanning alert no. 10: Workflow
 does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Jimisola Laursen <jimisola@jimisola.com>
---
 .github/workflows/check-semantic-pr.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/check-semantic-pr.yml b/.github/workflows/check-semantic-pr.yml
index dfb02a0..968e327 100644
--- a/.github/workflows/check-semantic-pr.yml
+++ b/.github/workflows/check-semantic-pr.yml
@@ -5,6 +5,9 @@ on:
   pull_request_target:
     types: [opened, edited, synchronize, reopened]
 
+permissions:
+  contents: read
+
 jobs:
   check:
     uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@33502e31f66fb7e982f48f50e3c6c29b0410a017 # main 2026-03-07