From 5d87d386c3c3dd02559286d7bde2e4d291c78989 Mon Sep 17 00:00:00 2001
From: user <user@Mac.lan guest wan>
Date: Thu, 19 Feb 2026 20:25:23 -0800
Subject: [PATCH] ci: pin actions to commit SHAs to prevent RCE
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Pin actions/checkout and actions/setup-go to their full commit
SHAs instead of mutable tags, per review feedback.

- actions/checkout@v4 → 34e114876b0b11c390a56381ad16ebd13914f8d5
- actions/setup-go@v5 → 40f1582b2485089dde7abd97c1529aa768e1baff
---
 .gitea/workflows/check.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/check.yml b/.gitea/workflows/check.yml
index c61fe77..fe3dd67 100644
--- a/.gitea/workflows/check.yml
+++ b/.gitea/workflows/check.yml
@@ -10,9 +10,9 @@ jobs:
   check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
           go-version-file: go.mod