From e428dc74f13087e76c1878e49e6496da6037ede9 Mon Sep 17 00:00:00 2001
From: Mathieu Di-Majo <mathieu.dimajo@gmail.com>
Date: Tue, 21 Apr 2026 17:07:57 +0200
Subject: [PATCH 1/3] fix(security): pin third-party GitHub Actions to
 immutable SHA

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 10 +++++-----
 .github/workflows/verify.yml  |  4 ++--
 renovate.json                 |  8 ++++++++
 3 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e464f1b..20886cc 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -23,10 +23,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Use Node.js ${{ env.NODE_VERSION }}
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: 'yarn'
@@ -60,7 +60,7 @@ jobs:
         run: yarn build
 
       - name: Semantic Release
-        uses: cycjimmy/semantic-release-action@v2
+        uses: cycjimmy/semantic-release-action@5982a02995853159735cb838992248c4f0f16166 # v2.7.0
         id: semantic
         with:
           semantic_version: ^18
@@ -101,9 +101,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
-      - uses: technote-space/workflow-conclusion-action@v3.0.3
+      - uses: technote-space/workflow-conclusion-action@45ce8e0eb155657ab8ccf346ade734257fd196a5 # v3.0.3
 
       - uses: reside-eng/workflow-status-notification-action@v1.2.4
         with:
diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
index accc4ba..6794135 100644
--- a/.github/workflows/verify.yml
+++ b/.github/workflows/verify.yml
@@ -11,10 +11,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Use Node.js ${{ env.NODE_VERSION }}
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: 'yarn'
diff --git a/renovate.json b/renovate.json
index e08dd77..932cc2d 100644
--- a/renovate.json
+++ b/renovate.json
@@ -3,5 +3,13 @@
   "extends": [
     "github>reside-eng/renovate-config:library",
     ":reviewer(team:platform-tools)"
+  ],
+  "packageRules": [
+    {
+      "description": "Pin third-party GitHub Action digests (SHA + version comment). Excludes reside-eng first-party actions/workflows which stay on floating major tags.",
+      "matchDepTypes": ["action"],
+      "matchPackageNames": ["!/^reside-eng\\//"],
+      "pinDigests": true
+    }
   ]
 }

From 41d48e3cd17cf376ed238299e3dbaef3b5ee9442 Mon Sep 17 00:00:00 2001
From: Mathieu Di-Majo <mathieu.dimajo@gmail.com>
Date: Thu, 23 Apr 2026 12:26:04 +0200
Subject: [PATCH 2/3] fix(security): pin additional third-party GitHub Actions
 missed in initial pass

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 2 +-
 .github/workflows/verify.yml  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 20886cc..c699478 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -52,7 +52,7 @@ jobs:
       #   run: yarn test --coverage --silent
 
       # - name: Upload coverage to Coveralls
-      #   uses: coverallsapp/github-action@v2.2.1
+      #   uses: coverallsapp/github-action@95b1a2355bd0e526ad2fd62da9fd386ad4c98474 # v2.2.1
       #   with:
       #     github-token: ${{ secrets.GITHUB_TOKEN }}
 
diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
index 6794135..a741f8b 100644
--- a/.github/workflows/verify.yml
+++ b/.github/workflows/verify.yml
@@ -32,7 +32,7 @@ jobs:
       #   run: yarn test --coverage --silent
 
       # - name: Upload coverage to Coveralls
-      #   uses: coverallsapp/github-action@v2.2.1
+      #   uses: coverallsapp/github-action@95b1a2355bd0e526ad2fd62da9fd386ad4c98474 # v2.2.1
       #   with:
       #     github-token: ${{ secrets.GITHUB_TOKEN }}
 

From f1b1773e80b6874cd406a9afa8823ccfaf42bd5a Mon Sep 17 00:00:00 2001
From: Mathieu Di-Majo <mathieu.dimajo@gmail.com>
Date: Fri, 24 Apr 2026 11:06:26 +0200
Subject: [PATCH 3/3] chore(deps): defer pinDigests rule to shared
 reside-eng/renovate-config
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This rule will move to shared default.json as a follow-up (PR C) so
every repo extending the shared preset inherits it without per-repo
duplication. Existing third-party actions in this repo are already
SHA-pinned via this PR series — removing this rule only affects future
unpinned additions during the short window before the shared rule
ships.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 renovate.json | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/renovate.json b/renovate.json
index 932cc2d..e08dd77 100644
--- a/renovate.json
+++ b/renovate.json
@@ -3,13 +3,5 @@
   "extends": [
     "github>reside-eng/renovate-config:library",
     ":reviewer(team:platform-tools)"
-  ],
-  "packageRules": [
-    {
-      "description": "Pin third-party GitHub Action digests (SHA + version comment). Excludes reside-eng first-party actions/workflows which stay on floating major tags.",
-      "matchDepTypes": ["action"],
-      "matchPackageNames": ["!/^reside-eng\\//"],
-      "pinDigests": true
-    }
   ]
 }