From cbe25d567c7ee110b8fc344c0d38e39a8a2e705e Mon Sep 17 00:00:00 2001
From: Nathan Woodrow <woodrow.nathan@gmail.com>
Date: Fri, 9 May 2025 20:55:05 +1000
Subject: [PATCH] Update other 3rd patry github workflows to pin SHA

---
 .github/workflows/backport.yml               |  2 +-
 .github/workflows/build-macos-qt6.yml        |  4 ++--
 .github/workflows/code_layout.yml            |  2 +-
 .github/workflows/pr-needs-documentation.yml | 10 +++++-----
 .github/workflows/pr_unstale_commit.yml      |  2 +-
 .github/workflows/run-tests.yml              |  6 +++---
 .github/workflows/sipify-bot.yml             |  2 +-
 7 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index a338983ca6c..ae3ef85a0e3 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -20,6 +20,6 @@ jobs:
       - name: Backport Bot
         id: backport
         if: github.event.pull_request.merged && ( ( github.event.action == 'closed' && contains( join( github.event.pull_request.labels.*.name ), 'backport') ) || contains( github.event.label.name, 'backport' ) )
-        uses: m-kuhn/backport@v1.2.7
+        uses: m-kuhn/backport@7f3cab83e4b3b26aefcffda21851c3dc3d389f45 #v1.2.7
         with:
           github_token: ${{ secrets.GH_TOKEN_BOT }}
diff --git a/.github/workflows/build-macos-qt6.yml b/.github/workflows/build-macos-qt6.yml
index 4edf1d8280e..37a7a79242d 100644
--- a/.github/workflows/build-macos-qt6.yml
+++ b/.github/workflows/build-macos-qt6.yml
@@ -32,7 +32,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: 🐩 Install CMake and Ninja
-        uses: lukka/get-cmake@latest
+        uses: lukka/get-cmake@ea004816823209b8d1211e47b216185caee12cc5 # latest
         with:
           # Pin to specific version to avoid rebuilding too often
           # Also helps to avoid spurious build failures like https://github.com/qgis/QGIS/pull/47098
@@ -54,7 +54,7 @@ jobs:
           python-version: '3.11'
 
       - name: 🍭 Setup XCode
-        uses: maxim-lobanov/setup-xcode@v1.6.0
+        uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd # v1.6.0
         with:
           xcode-version: latest-stable
 
diff --git a/.github/workflows/code_layout.yml b/.github/workflows/code_layout.yml
index 62ed02b2b75..57b97153188 100644
--- a/.github/workflows/code_layout.yml
+++ b/.github/workflows/code_layout.yml
@@ -162,7 +162,7 @@ jobs:
               silversearcher-ag
 
       - name: Retrieve changed files
-        uses: tj-actions/changed-files@v46
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c #v46
         id: changed_files
         with:
           separator: " "
diff --git a/.github/workflows/pr-needs-documentation.yml b/.github/workflows/pr-needs-documentation.yml
index 310df09aefc..578aad7f728 100644
--- a/.github/workflows/pr-needs-documentation.yml
+++ b/.github/workflows/pr-needs-documentation.yml
@@ -26,7 +26,7 @@ jobs:
 
       - name: Create comment about documentation
         if: github.event.label.name == 'Needs Documentation'
-        uses: peter-evans/create-or-update-comment@v4
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
         with:
           token: ${{ secrets.GH_TOKEN_BOT }}
           issue-number: ${{ github.event.pull_request.number }}
@@ -44,7 +44,7 @@ jobs:
 
       - name: Create comment about changelog
         if: github.event.label.name == 'Changelog'
-        uses: peter-evans/create-or-update-comment@v4
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
         with:
           token: ${{ secrets.GH_TOKEN_BOT }}
           issue-number: ${{ github.event.pull_request.number }}
@@ -115,7 +115,7 @@ jobs:
 
       # get commits from the PR
       - name: Get PR commits
-        uses: octokit/request-action@v2.x
+        uses: octokit/request-action@dad4362715b7fb2ddedf9772c8670824af564f0d # v2.4.0
         id: get_pr_commits
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -135,7 +135,7 @@ jobs:
       # create the documentation issue
       - name: Create Documentation issue
         id: doc_issue
-        uses: dacbd/create-issue-action@v2.0.0
+        uses: dacbd/create-issue-action@cdb57ab6ff8862aa09fee2be6ba77a59581921c2 # v2.0.0
         with:
           token: ${{ secrets.GH_TOKEN_BOT }}
           owner: qgis
@@ -160,7 +160,7 @@ jobs:
 
       # write comment to ping the PR author
       - name: Create comment
-        uses: peter-evans/create-or-update-comment@v4
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
         with:
           token: ${{ secrets.GH_TOKEN_BOT }}
           issue-number: ${{ github.event.pull_request.number }}
diff --git a/.github/workflows/pr_unstale_commit.yml b/.github/workflows/pr_unstale_commit.yml
index 1f830adb66e..fdf5aa503be 100644
--- a/.github/workflows/pr_unstale_commit.yml
+++ b/.github/workflows/pr_unstale_commit.yml
@@ -12,7 +12,7 @@ jobs:
     if: contains(github.event.pull_request.labels.*.name, 'stale')
     runs-on: ubuntu-latest
     steps:
-      - uses: actions-ecosystem/action-remove-labels@v1
+      - uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 #v1.0
         if: ${{ github.event.comment.user.url != 'https://github.com/apps/github-actions' }}
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml
index 6c974170a1a..7c50c8490ab 100644
--- a/.github/workflows/run-tests.yml
+++ b/.github/workflows/run-tests.yml
@@ -88,7 +88,7 @@ jobs:
     steps:
 
       - name: Free Disk Space (Ubuntu)
-        uses: jlumbroso/free-disk-space@main
+        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # main
         with:
           tool-cache: true
           large-packages: false
@@ -274,7 +274,7 @@ jobs:
     steps:
 
       - name: Free Disk Space (Ubuntu)
-        uses: jlumbroso/free-disk-space@main
+        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # main
         with:
           tool-cache: true
           large-packages: false
@@ -399,7 +399,7 @@ jobs:
 
     steps:
       - name: Free Disk Space (Ubuntu)
-        uses: jlumbroso/free-disk-space@main
+        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # main
         with:
           tool-cache: true
           large-packages: false
diff --git a/.github/workflows/sipify-bot.yml b/.github/workflows/sipify-bot.yml
index 6d938593e7c..ed85e347476 100644
--- a/.github/workflows/sipify-bot.yml
+++ b/.github/workflows/sipify-bot.yml
@@ -20,7 +20,7 @@ jobs:
         run: pip install nose2 mock termcolor pyyaml
 
       - name: Get PR branch
-        uses: alessbell/pull-request-comment-branch@v2.1.0
+        uses: alessbell/pull-request-comment-branch@ef3408c9757d05f89cb525036383033a313758a0 # v2.1.0
         if: ${{ github.event_name == 'issue_comment' }}
         id: comment-branch