From 8118565d20c20cae223bd9245e200c1c86ea6ddd Mon Sep 17 00:00:00 2001
From: Joshua Napoli <jnapoli@cvector.energy>
Date: Mon, 30 Mar 2026 10:19:57 -0400
Subject: [PATCH] [PD1-951] Pin all GitHub Actions to specific commit SHAs

Pin all GitHub Actions to their full commit SHA to reduce the risk
of supply-chain attacks in the GitHub Actions ecosystem.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml                      | 2 +-
 .github/workflows/pyproject-license-check.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0de1751..f5b7f32 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -27,7 +27,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
-      - uses: CVector-Energy/python-test@main
+      - uses: CVector-Energy/python-test@b956bb181831f0ddca3496505d5823c678a926e7 # main
         with:
           python-version: ${{ matrix.python-version }}
           src-dirs: .
diff --git a/.github/workflows/pyproject-license-check.yml b/.github/workflows/pyproject-license-check.yml
index b2ae716..37e82fc 100644
--- a/.github/workflows/pyproject-license-check.yml
+++ b/.github/workflows/pyproject-license-check.yml
@@ -11,7 +11,7 @@ jobs:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
       - name: Check Python licenses
-        uses: CVector-Energy/pyproject-license-check@main
+        uses: CVector-Energy/pyproject-license-check@977092b2a13e0766082dfdfb7c57b67985c675e8 # main
         with:
           app-id: ${{ vars.APP_ID }}
           app-private-key: ${{ secrets.APP_PRIVATE_KEY }}