chore(workflow): pin sha & update actions

Author: erisu

.github/workflows/ci.yml

@@ -44,10 +44,12 @@ jobs:
         os: [ubuntu-latest, macos-15]
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+          fetch-depth: 1
 
-      - name: Use Node.js ${{ matrix.node.version }}
-        uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: ${{ matrix.node.version }}
 
@@ -56,7 +58,7 @@ jobs:
           node --version
           npm --version
 
-      - uses: github/codeql-action/init@v4
+      - uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
         with:
           languages: javascript
           queries: security-and-quality
@@ -70,7 +72,7 @@ jobs:
         env:
           CI: true
 
-      - uses: github/codeql-action/analyze@v4
+      - uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
 
       # v4.6.0
       - uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238

.github/workflows/release-audit.yml

@@ -34,22 +34,25 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # Checkout project
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+          fetch-depth: 1
 
-      # Check license headers (v2.0.0)
-      - uses: erisu/apache-rat-action@46fb01ce7d8f76bdcd7ab10e7af46e1ea95ca01c
+      # Check license headers (v3.0.0)
+      - uses: erisu/apache-rat-action@30c94d10ed21e6f6fd5590dc5c158f58cae7a0dd
 
       # Setup environment with node
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 24
 
       # Install node packages
       - name: npm install packages
         run: npm ci
 
-      # Check node package licenses (v2.0.1)
-      - uses: erisu/license-checker-action@99cffa11264fe545fd0baa6c13bca5a00ae608f2
+      # Check node package licenses (v2.1.0)
+      - uses: erisu/license-checker-action@04511f4c052b5773f11e1c65b42cda88235c62ae
         with:
           license-config: 'licence_checker.yml'
-          include-asf-category-a: true
+          include-asf-category-a: true