From 74e72cbe89bc59a05a4ae9c25bbcf0bddc23df2b Mon Sep 17 00:00:00 2001
From: "aikido-autofix[bot]"
 <119856028+aikido-autofix[bot]@users.noreply.github.com>
Date: Thu, 23 Apr 2026 04:11:52 +0000
Subject: [PATCH] fix(security): autofix 3rd party Github Actions should be
 pinned

---
 .github/workflows/release.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6f0d4d2..858ba7f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -31,7 +31,7 @@ jobs:
           echo "Tag is on main branch, proceeding with release"
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v5
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
 
       - name: Setup Node
         uses: actions/setup-node@v6
@@ -193,7 +193,7 @@ jobs:
         # OIDC trusted publishing (id-token: write) enables automatic provenance generation
 
       - name: Create GitHub Release
-        uses: softprops/action-gh-release@v3
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
         with:
           body_path: release_notes.md
           draft: false