From 62ae9216c7725cfeb7388927b9e2a17f010c4e03 Mon Sep 17 00:00:00 2001
From: "aikido-autofix[bot]"
 <119856028+aikido-autofix[bot]@users.noreply.github.com>
Date: Thu, 21 May 2026 10:41:21 +0000
Subject: [PATCH] fix(security): autofix 3rd party Github Actions should be
 pinned

---
 .github/workflows/build.yml             | 2 +-
 .github/workflows/refresh-resources.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 2b2cf97..52032b7 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -26,6 +26,6 @@ jobs:
         run: npm run test:coverage
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
         with:
           fail_ci_if_error: true
\ No newline at end of file
diff --git a/.github/workflows/refresh-resources.yml b/.github/workflows/refresh-resources.yml
index dfdcdc4..b89cea4 100644
--- a/.github/workflows/refresh-resources.yml
+++ b/.github/workflows/refresh-resources.yml
@@ -58,7 +58,7 @@ jobs:
 
       - name: Create PR
         if: steps.diff.outputs.changed == 'true'
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0
         with:
           token: ${{ secrets.CREATE_PR_TOKEN || github.token }}
           commit-message: 'chore(resources): refresh embedded resources'