From 70f731f776bfcf94e55d1756dc5d6d3434a56264 Mon Sep 17 00:00:00 2001
From: tokict <ttokic1985@gmail.com>
Date: Tue, 24 Mar 2026 21:11:46 +0200
Subject: [PATCH] fix: pin third-party actions to SHA to prevent supply chain
 attacks

---
 .github/workflows/pages.yml | 4 ++--
 .github/workflows/test.yml  | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml
index c9f276b..81bf695 100644
--- a/.github/workflows/pages.yml
+++ b/.github/workflows/pages.yml
@@ -13,7 +13,7 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - run: git fetch --prune --unshallow --tags
-    - uses: cachix/install-nix-action@v12
+    - uses: cachix/install-nix-action@07da2520eebede906fbeefa9dd0a2b635323909d # v12
       with:
         nix_path: nixpkgs=channel:nixos-unstable
     - run: nix-env -f '<nixpkgs>' -iA ronn
@@ -23,7 +23,7 @@ jobs:
         mkdir pages
         mv ./cached-nix-shell.1.html pages
     - name: Deploy
-      uses: peaceiris/actions-gh-pages@v3
+      uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.3
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
         publish_dir: ./pages
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index a2968d3..b91f683 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -7,10 +7,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
-    - uses: cachix/install-nix-action@v15
+    - uses: cachix/install-nix-action@5f45af07a1f451c75a4ce84e1514200195a1f279 # v15
       with:
         nix_path: nixpkgs=channel:nixos-unstable
-    - uses: cachix/cachix-action@v10
+    - uses: cachix/cachix-action@73e75d1a0cd4330597a571e8f9dedb41faa2fc4e # v10
       with:
         name: xzfc
         signingKey: ${{ secrets.CACHIX_SIGNING_KEY }}