ci: pin all actions to full-length commit SHAs (#36621)

Pin all remaining GitHub Actions references to full-length commit SHAs, matching the convention already established by third-party actions in this repo. This is a prerequisite for enabling GitHub's "Require actions to be pinned to a full-length commit SHA" repository ruleset, which mitigates tag-hijacking supply chain attacks.
2026-06-09 18:50:33 +00:00 · 2026-04-08 19:02:58 -04:00
parent dd7c3eb3a4
commit 6443612fa3
20 changed files with 68 additions and 68 deletions
--- a/.github/workflows/_refresh_model_profiles.yml
+++ b/.github/workflows/_refresh_model_profiles.yml
@@ -91,11 +91,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: "📋 Checkout"
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: "📋 Checkout langchain-profiles CLI"
        if: inputs.cli-path == ''
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          repository: langchain-ai/langchain
          ref: ${{ inputs.cli-ref }}
@@ -169,7 +169,7 @@ jobs:

      - name: "🔑 Generate GitHub App token"
        id: app-token
-        uses: actions/create-github-app-token@v3
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
        with:
          app-id: ${{ secrets.MODEL_PROFILE_BOT_APP_ID }}
          private-key: ${{ secrets.MODEL_PROFILE_BOT_PRIVATE_KEY }}