fix(security): autofix 3rd party Github Actions should be pinned

aikido-autofix[bot] · triceo · commit 084d61bffe8a · 2025-05-26T15:08:08.000+02:00
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -150,7 +150,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - uses: graalvm/setup-graalvm@v1
+      - uses: graalvm/setup-graalvm@01ed653ac833fe80569f1ef9f25585ba2811baab # v1
         with:
           java-version: ${{matrix.java-version}}
           distribution: 'graalvm-community'
diff --git a/.github/workflows/pull_request_secure.yml b/.github/workflows/pull_request_secure.yml
@@ -327,7 +327,7 @@ jobs:
       - name: Deploy Documentation (Preview Mode)
         if: ${{ env.BRANCH_NAME != 'main' }}
         id: deploy
-        uses: cloudflare/wrangler-action@v3
+        uses: cloudflare/wrangler-action@da0e0dfe58b7a431659754fdf3f186c529afbe65 # v3
         with:
           apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
           accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -66,7 +66,7 @@ jobs:
 
       # Need Maven 3.9.0+ to recognize MAVEN_ARGS.
       - name: Set up Maven
-        uses: stCarolas/setup-maven@v5
+        uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
         with:
           maven-version: 3.9.3
 
@@ -96,7 +96,7 @@ jobs:
           git push origin $RELEASE_BRANCH_NAME
 
       - name: Run JReleaser
-        uses: jreleaser/release-action@v2
+        uses: jreleaser/release-action@80ffb38fa759704eed4db5c7fcaae3ac1079473e # v2
         env:
           JRELEASER_DRY_RUN: ${{ github.event.inputs.dryRun }}
           JRELEASER_PROJECT_VERSION: ${{ github.event.inputs.version }}
@@ -117,5 +117,5 @@ jobs:
             out/jreleaser/output.properties
 
       - name: Publish distribution to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # release/v1
         if: ${{ github.event.inputs.dryRun == 'false' }}
