From 405af8666f201f6d7cccb79ba0a88ee387cf439e Mon Sep 17 00:00:00 2001
From: Andrew Azores <aazores@ibm.com>
Date: Wed, 25 Mar 2026 14:55:14 -0400
Subject: [PATCH] ci(audit): reduce pull_request_target to pull_request, pin
 action commit hashes, use user login name for /build_test

---
 .github/workflows/dependent-issues.yml | 2 +-
 .github/workflows/labeler.yml          | 2 +-
 .github/workflows/semantic-pr.yml      | 2 +-
 .github/workflows/test-ci-command.yml  | 4 ++--
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/dependent-issues.yml b/.github/workflows/dependent-issues.yml
index 9ce7f4a5e..249d5cef4 100644
--- a/.github/workflows/dependent-issues.yml
+++ b/.github/workflows/dependent-issues.yml
@@ -25,7 +25,7 @@ jobs:
       statuses: write
     runs-on: ubuntu-latest
     steps:
-      - uses: z0al/dependent-issues@v1
+      - uses: z0al/dependent-issues@950226e7ca8fc43dc209a7febf67c655af3bdb43 # v1.5.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 082d2598e..4e97d44a0 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -13,6 +13,6 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/labeler@v6
+    - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
       with:
         repo-token: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/semantic-pr.yml b/.github/workflows/semantic-pr.yml
index 3abcb996d..5202ec844 100644
--- a/.github/workflows/semantic-pr.yml
+++ b/.github/workflows/semantic-pr.yml
@@ -16,6 +16,6 @@ jobs:
 
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@v6.1.1
+      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/test-ci-command.yml b/.github/workflows/test-ci-command.yml
index cd817e9de..3f7c8bfed 100644
--- a/.github/workflows/test-ci-command.yml
+++ b/.github/workflows/test-ci-command.yml
@@ -22,7 +22,7 @@ jobs:
     - name: Show warning if permission is denied
       if: |
         !(github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'OWNER')
-        && (!contains(github.event.issue.labels.*.name, 'safe-to-test') || github.event.issue.user.name != github.event.comment.user.name)
+        && (!contains(github.event.issue.labels.*.name, 'safe-to-test') || github.event.issue.user.login != github.event.comment.user.login)
       uses: thollander/actions-comment-pull-request@v3
       with:
         message: |-
@@ -31,7 +31,7 @@ jobs:
     - name: Fail if command permission is denied
       if: |
         !(github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'OWNER')
-        && (!contains(github.event.issue.labels.*.name, 'safe-to-test') || github.event.issue.user.name != github.event.comment.user.name)
+        && (!contains(github.event.issue.labels.*.name, 'safe-to-test') || github.event.issue.user.login != github.event.comment.user.login)
       run: exit 1
     - name: React to comment
       uses: actions/github-script@v8