From 1a77648881f078d04056a55dc338876b68e861aa Mon Sep 17 00:00:00 2001
From: Roy Dahan <roy@scylladb.com>
Date: Mon, 8 Jun 2026 04:12:50 +0300
Subject: [PATCH] ci: pin GitHub Actions to commit SHAs

Pin all external GitHub Actions to full commit SHAs to reduce supply
chain attack surface. Upgrade outdated actions to their latest versions.

Reference: https://github.com/scylladb/scylladb/pull/29421
---
 .github/workflows/docs-pages.yaml | 8 ++++----
 .github/workflows/docs-pr.yaml    | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/docs-pages.yaml b/.github/workflows/docs-pages.yaml
index dfbabebd..4d7b4512 100644
--- a/.github/workflows/docs-pages.yaml
+++ b/.github/workflows/docs-pages.yaml
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           ref: ${{ github.event.repository.default_branch }}
           persist-credentials: false
@@ -27,7 +27,7 @@ jobs:
         run: sudo apt-get update && sudo apt-get install -y doxygen
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v8.1.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
           enable-cache: true
           cache-dependency-glob: "docs/uv.lock"
@@ -47,7 +47,7 @@ jobs:
             .
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v4.3.3
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: github-pages
           path: ${{ runner.temp }}/artifact.tar
@@ -73,4 +73,4 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0
diff --git a/.github/workflows/docs-pr.yaml b/.github/workflows/docs-pr.yaml
index 812ea0ad..8dd264a5 100644
--- a/.github/workflows/docs-pr.yaml
+++ b/.github/workflows/docs-pr.yaml
@@ -19,13 +19,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
           fetch-depth: 0
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v8.1.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
           working-directory: docs
           enable-cache: true