From 956c27df6b7d7c84052b3fcbf8e680b91936af04 Mon Sep 17 00:00:00 2001
From: Jeff <158072326+jeffrey701@users.noreply.github.com>
Date: Sat, 30 May 2026 14:35:19 -0700
Subject: [PATCH] chore(ci): pin GitHub Actions to commit SHAs (#1811) (#1870)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* chore(ci): pin GitHub Actions to commit SHAs (#1811)

Follow-up to #1810. The Node-24 upgrade left every workflow on mutable
tag refs (`actions/checkout@v5`, `actions/download-artifact@v7`, etc.)
which superagent-security[bot] flagged on the ci.yml + publish.yml
reviews.

Pin all 18 external actions to the commit SHA they currently resolve to
and add a trailing `# vMAJOR.MINOR.PATCH` comment so reviewers can see
the version. Local reusable-workflow refs (`uses: ./.github/...`) are
left alone — pinning those would defeat the point.

Closes #1811

* chore(ci): address review — persist-credentials + setup-node consistency (#1811)

Two pieces of follow-up feedback on the SHA-pinning PR:

- @coderabbitai (P1 nitpicks) + @JSONbored: add 'persist-credentials:
  false' to checkout steps in jobs that don't perform authenticated git
  operations. Adds the line to 17 read-only checkouts across 9
  workflows (chart-ci, ci, flutter-build, helm-publish, ios-testflight,
  llm-evals, preview-cleanup, preview-deploy, publish:build).
  Checkouts inside jobs that 'git push' (chart-release, mobile-build,
  mobile-release, helm-publish:second-checkout, publish:bump-pre_release)
  are intentionally left alone so they keep their token.

- @jjmata: preview-deploy.yml was the only workflow on
  actions/setup-node v6.4.0; everywhere else pinned v5.0.0. Standardise
  on v5.0.0 to match.

Dependabot config already has a github-actions ecosystem entry with a
weekly schedule, so no addition needed for that point.

* chore(ci): document intentional setup-node v6→5 normalization (#1811)

@superagent-security flagged the v6.4.0 -> v5.0.0 change in
preview-deploy.yml as a possible unintended downgrade. The downgrade
was deliberate, per @jjmata's review request to normalize setup-node
across all workflows. Add an inline YAML comment next to the line so
future scans don't re-flag it.

---------

Signed-off-by: Juan José Mata <juanjo.mata@gmail.com>
Co-authored-by: jeffrey701 <jeffrey701@users.noreply.github.com>
Co-authored-by: Juan José Mata <juanjo.mata@gmail.com>
---
 .github/workflows/chart-ci.yml           | 10 +++++--
 .github/workflows/chart-release.yml      |  6 ++--
 .github/workflows/ci.yml                 | 38 ++++++++++++++++--------
 .github/workflows/flutter-build.yml      | 20 ++++++++-----
 .github/workflows/google-play-upload.yml |  4 +--
 .github/workflows/helm-publish.yml       |  9 +++---
 .github/workflows/ios-testflight.yml     |  8 +++--
 .github/workflows/llm-evals.yml          | 16 ++++++----
 .github/workflows/mobile-build.yml       |  8 ++---
 .github/workflows/mobile-release.yml     |  8 ++---
 .github/workflows/pipelock.yml           |  4 +--
 .github/workflows/preview-cleanup.yml    | 14 +++++----
 .github/workflows/publish.yml            | 29 +++++++++---------
 .github/workflows/update-docs.yml        |  2 +-
 14 files changed, 104 insertions(+), 72 deletions(-)

diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml
index 9f3b25958..8ca9111d4 100644
--- a/.github/workflows/chart-ci.yml
+++ b/.github/workflows/chart-ci.yml
@@ -20,7 +20,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        with:
+          persist-credentials: false
 
       - name: Check version alignment
         shell: bash
@@ -64,10 +66,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        with:
+          persist-credentials: false
 
       - name: Install Helm
-        uses: azure/setup-helm@v5
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
 
       - name: Add chart dependencies repositories
         run: |
diff --git a/.github/workflows/chart-release.yml b/.github/workflows/chart-release.yml
index e09bd9483..ee33ddcce 100644
--- a/.github/workflows/chart-release.yml
+++ b/.github/workflows/chart-release.yml
@@ -18,7 +18,7 @@ jobs:
       app_version: ${{ steps.tag.outputs.app_version }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           fetch-depth: 0
 
@@ -79,13 +79,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download Helm chart artifact
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           name: helm-chart-package
           path: ${{ runner.temp }}/helm-artifacts
 
       - name: Create chart GitHub Release
-        uses: softprops/action-gh-release@v3
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
         with:
           tag_name: ${{ needs.prepare_release.outputs.tag_name }}
           name: ${{ needs.prepare_release.outputs.tag_name }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 02a5a640e..d9ab5d2c4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -9,10 +9,12 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        with:
+          persist-credentials: false
 
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@97ecb7b512899eb71ab1bf2310a624c6f1589ac6 # v1.308.0
         with:
           ruby-version: .ruby-version
           bundler-cache: true
@@ -28,10 +30,12 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        with:
+          persist-credentials: false
 
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@97ecb7b512899eb71ab1bf2310a624c6f1589ac6 # v1.308.0
         with:
           ruby-version: .ruby-version
           bundler-cache: true
@@ -44,10 +48,12 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        with:
+          persist-credentials: false
 
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@97ecb7b512899eb71ab1bf2310a624c6f1589ac6 # v1.308.0
         with:
           ruby-version: .ruby-version
           bundler-cache: true
@@ -60,10 +66,12 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        with:
+          persist-credentials: false
 
       - name: Setup Node.js environment
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           node-version: "24"
           cache: "npm"
@@ -107,10 +115,12 @@ jobs:
         run: sudo apt-get update && sudo apt-get install --no-install-recommends -y google-chrome-stable curl libvips postgresql-client libpq-dev
 
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        with:
+          persist-credentials: false
 
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@97ecb7b512899eb71ab1bf2310a624c6f1589ac6 # v1.308.0
         with:
           ruby-version: .ruby-version
           bundler-cache: true
@@ -156,10 +166,12 @@ jobs:
         run: sudo apt-get update && sudo apt-get install --no-install-recommends -y google-chrome-stable curl libvips postgresql-client libpq-dev
 
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        with:
+          persist-credentials: false
 
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@97ecb7b512899eb71ab1bf2310a624c6f1589ac6 # v1.308.0
         with:
           ruby-version: .ruby-version
           bundler-cache: true
@@ -174,7 +186,7 @@ jobs:
         run: DISABLE_PARALLELIZATION=true bin/rails test:system
 
       - name: Keep screenshots from failed system tests
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         if: failure()
         with:
           name: screenshots
diff --git a/.github/workflows/flutter-build.yml b/.github/workflows/flutter-build.yml
index 696a8e9f7..5fe42ea5d 100644
--- a/.github/workflows/flutter-build.yml
+++ b/.github/workflows/flutter-build.yml
@@ -21,16 +21,18 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        with:
+          persist-credentials: false
 
       - name: Set up Java
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
         with:
           distribution: 'temurin'
           java-version: '17'
 
       - name: Set up Flutter
-        uses: subosito/flutter-action@v2
+        uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0
         with:
           flutter-version: '3.32.4'
           channel: 'stable'
@@ -93,7 +95,7 @@ jobs:
           fi
 
       - name: Upload APK artifact
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: app-release-apk
           path: |
@@ -109,7 +111,7 @@ jobs:
 
       - name: Upload AAB artifact
         if: steps.check_secrets.outputs.has_keystore == 'true'
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: app-release-aab
           path: mobile/build/app/outputs/bundle/release/app-release.aab
@@ -122,10 +124,12 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        with:
+          persist-credentials: false
 
       - name: Set up Flutter
-        uses: subosito/flutter-action@v2
+        uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0
         with:
           flutter-version: '3.32.4'
           channel: 'stable'
@@ -167,7 +171,7 @@ jobs:
           echo "For distribution, you need to configure code signing with Apple certificates" >> build/ios-build-info.txt
 
       - name: Upload iOS build artifact
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: ios-build-unsigned
           path: |
diff --git a/.github/workflows/google-play-upload.yml b/.github/workflows/google-play-upload.yml
index efb762e02..73f861321 100644
--- a/.github/workflows/google-play-upload.yml
+++ b/.github/workflows/google-play-upload.yml
@@ -56,7 +56,7 @@ jobs:
 
       - name: Download Android AAB artifact
         if: ${{ steps.check_prereqs.outputs.enabled == 'true' }}
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           name: app-release-aab
           path: ${{ runner.temp }}/android-aab
@@ -98,7 +98,7 @@ jobs:
 
       - name: Upload to Google Play
         if: ${{ steps.check_prereqs.outputs.enabled == 'true' }}
-        uses: r0adkll/upload-google-play@v1
+        uses: r0adkll/upload-google-play@e738b9dd8f2476ea806d921b64aacd24f34515a5 # v1.1.5
         with:
           serviceAccountJson: ${{ steps.play_creds.outputs.credentials-path }}
           packageName: am.sure.mobile
diff --git a/.github/workflows/helm-publish.yml b/.github/workflows/helm-publish.yml
index 9f6c6b3b6..510c64049 100644
--- a/.github/workflows/helm-publish.yml
+++ b/.github/workflows/helm-publish.yml
@@ -29,12 +29,13 @@ jobs:
       app_version: ${{ steps.version.outputs.app_version }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
+          persist-credentials: false
           fetch-depth: 0
 
       - name: Install Helm
-        uses: azure/setup-helm@v5
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
 
       - name: Resolve chart and app versions
         id: version
@@ -88,7 +89,7 @@ jobs:
           helm package charts/sure -d .cr-release-packages
 
       - name: Upload packaged chart artifact
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: helm-chart-package
           path: .cr-release-packages/*.tgz
@@ -98,7 +99,7 @@ jobs:
 
       - name: Checkout gh-pages
         if: ${{ inputs.update_gh_pages }}
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           ref: gh-pages
           path: gh-pages
diff --git a/.github/workflows/ios-testflight.yml b/.github/workflows/ios-testflight.yml
index 6e058642c..13ae2f52c 100644
--- a/.github/workflows/ios-testflight.yml
+++ b/.github/workflows/ios-testflight.yml
@@ -28,7 +28,9 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        with:
+          persist-credentials: false
 
       - name: Check TestFlight credentials
         id: check_prereqs
@@ -91,7 +93,7 @@ jobs:
           xcrun --sdk iphoneos --show-sdk-version
 
       - name: Set up Flutter
-        uses: subosito/flutter-action@v2
+        uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0
         if: ${{ steps.check_prereqs.outputs.enabled == 'true' }}
         with:
           flutter-version: '3.32.4'
@@ -293,7 +295,7 @@ jobs:
 
       - name: Upload build artifact
         if: ${{ steps.check_prereqs.outputs.enabled == 'true' }}
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: ios-ipa-testflight
           path: mobile/build/ios/ipa/*.ipa
diff --git a/.github/workflows/llm-evals.yml b/.github/workflows/llm-evals.yml
index 13b608336..aaa5a13a1 100644
--- a/.github/workflows/llm-evals.yml
+++ b/.github/workflows/llm-evals.yml
@@ -101,10 +101,12 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        with:
+          persist-credentials: false
 
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@97ecb7b512899eb71ab1bf2310a624c6f1589ac6 # v1.308.0
         with:
           ruby-version: .ruby-version
           bundler-cache: true
@@ -204,10 +206,12 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        with:
+          persist-credentials: false
 
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@97ecb7b512899eb71ab1bf2310a624c6f1589ac6 # v1.308.0
         with:
           ruby-version: .ruby-version
           bundler-cache: true
@@ -320,7 +324,7 @@ jobs:
           echo "status=$(jq -r '.status' "$JSON_PATH")" >> "$GITHUB_OUTPUT"
 
       - name: Upload eval artifact
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: llm-evals-${{ steps.dataset_slug.outputs.slug }}-${{ steps.dataset_slug.outputs.model_slug }}
           path: |
@@ -346,7 +350,7 @@ jobs:
 
     steps:
       - name: Download all artifacts
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           path: eval-artifacts
           pattern: llm-evals-*
diff --git a/.github/workflows/mobile-build.yml b/.github/workflows/mobile-build.yml
index fe985bb01..fc1990330 100644
--- a/.github/workflows/mobile-build.yml
+++ b/.github/workflows/mobile-build.yml
@@ -64,21 +64,21 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           ref: ${{ github.ref }}
           fetch-depth: 0
 
       - name: Download Android APK artifact
         continue-on-error: true
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           name: app-release-apk
           path: ${{ runner.temp }}/mobile-artifacts
 
       - name: Download iOS build artifact
         continue-on-error: true
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           name: ios-build-unsigned
           path: ${{ runner.temp }}/ios-build
@@ -170,7 +170,7 @@ jobs:
             ${{ runner.temp }}/release-assets/*
 
       - name: Checkout gh-pages branch
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           ref: gh-pages
           path: gh-pages
diff --git a/.github/workflows/mobile-release.yml b/.github/workflows/mobile-release.yml
index 0852a7208..dc462ba0a 100644
--- a/.github/workflows/mobile-release.yml
+++ b/.github/workflows/mobile-release.yml
@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           fetch-depth: 0
 
@@ -112,13 +112,13 @@ jobs:
           echo "Extracted version: $VERSION"
 
       - name: Download Android APK artifact
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           name: app-release-apk
           path: ${{ runner.temp }}/mobile-artifacts
 
       - name: Download iOS build artifact
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           name: ios-build-unsigned
           path: ${{ runner.temp }}/ios-build
@@ -258,7 +258,7 @@ jobs:
           done
 
       - name: Checkout gh-pages branch
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           ref: gh-pages
           path: gh-pages
diff --git a/.github/workflows/pipelock.yml b/.github/workflows/pipelock.yml
index 7b3b46af9..f19d3b94f 100644
--- a/.github/workflows/pipelock.yml
+++ b/.github/workflows/pipelock.yml
@@ -11,13 +11,13 @@ jobs:
   security-scan:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           fetch-depth: 0
           persist-credentials: false
 
       - name: Pipelock Scan
-        uses: luckyPipewrench/pipelock@v2
+        uses: luckyPipewrench/pipelock@cef4f47eb99ffe00e20fa7d1423bff1a44742dbe # v2.4.0
         with:
           scan-diff: 'true'
           fail-on-findings: 'true'
diff --git a/.github/workflows/preview-cleanup.yml b/.github/workflows/preview-cleanup.yml
index b36c2cba4..8d09aeff5 100644
--- a/.github/workflows/preview-cleanup.yml
+++ b/.github/workflows/preview-cleanup.yml
@@ -30,10 +30,12 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        with:
+          persist-credentials: false
 
       - name: Setup Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           node-version: "24"
 
@@ -52,7 +54,7 @@ jobs:
           wrangler delete --name "$WORKER_NAME" --force || echo "Worker may not exist"
 
       - name: Delete GitHub Deployment
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
         with:
           script: |
             const environment = `preview-pr-${{ github.event.pull_request.number }}`;
@@ -92,10 +94,12 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        with:
+          persist-credentials: false
 
       - name: Setup Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           node-version: "24"
 
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 225886dea..9a30609b0 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -73,15 +73,16 @@ jobs:
 
     steps:
       - name: Check out the repo
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
+          persist-credentials: false
           ref: ${{ github.event.inputs.ref || github.ref }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
       - name: Log in to the container registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -118,7 +119,7 @@ jobs:
 
       - name: Extract metadata for Docker
         id: meta
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           flavor: latest=false
@@ -132,7 +133,7 @@ jobs:
             org.opencontainers.image.description=A multi-arch Docker image for the Sure Rails app
 
       - name: Publish 'linux/${{ matrix.platform }}' image by digest
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         id: build
         with:
           context: .
@@ -158,7 +159,7 @@ jobs:
 
       - name: Upload the Docker image digest
         if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') || github.event_name == 'schedule' || github.event.inputs.push }}
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: digest-${{ matrix.platform }}
           path: ${{ runner.temp }}/digests/*
@@ -178,17 +179,17 @@ jobs:
 
     steps:
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
       - name: Download Docker image digests
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           path: ${{ runner.temp }}/digests
           pattern: digest-*
           merge-multiple: true
 
       - name: Log in to the container registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -275,19 +276,19 @@ jobs:
 
     steps:
       - name: Download Android APK artifact
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           name: app-release-apk
           path: ${{ runner.temp }}/mobile-artifacts
 
       - name: Download iOS build artifact
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           name: ios-build-unsigned
           path: ${{ runner.temp }}/ios-build
 
       - name: Download Helm chart artifact
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           name: helm-chart-package
           path: ${{ runner.temp }}/helm-artifacts
@@ -338,7 +339,7 @@ jobs:
           ls -la "${{ runner.temp }}/release-assets/"
 
       - name: Create GitHub Release
-        uses: softprops/action-gh-release@v3
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
         with:
           tag_name: ${{ github.ref_name }}
           name: ${{ github.ref_name }}
@@ -425,7 +426,7 @@ jobs:
           echo "branch=$SOURCE_BRANCH" >> $GITHUB_OUTPUT
 
       - name: Check out source branch
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           ref: ${{ steps.source_branch.outputs.branch }}
           token: ${{ github.token }}
diff --git a/.github/workflows/update-docs.yml b/.github/workflows/update-docs.yml
index 720651b87..52cbe8d20 100644
--- a/.github/workflows/update-docs.yml
+++ b/.github/workflows/update-docs.yml
@@ -11,7 +11,7 @@ jobs:
     permissions: {}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/github-script@v8
+      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           MINTLIFY_API_KEY: ${{ secrets.MINTLIFY_API_KEY }}
           PROJECT_ID: ${{ secrets.MINTLIFY_PROJECT_ID }}