From 1096f93f1b6ee966e71bcefb5db7baee3b0f1063 Mon Sep 17 00:00:00 2001
From: Josep Boix Requesens <jspboix@gmail.com>
Date: Mon, 11 May 2026 16:14:30 +0200
Subject: [PATCH] ci: pin third-party github actions to immutable commit hashes

Following GitHub's security best practices, this change ensures that
workflow executions use an exact hash instead of a tag.

Unlike tags, commit hashes are immutable, protecting the repository
against "tag shifting" where a malicious actor or a compromised
maintainer could overwrite a version tag (e.g., @v1) with malicious code.

- Pinned third-party actions to specific SHAs.
- Added the original tag as a comment for readability.
- Skipped first-party `actions/*` repositories as they are trusted.

Ref: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
---
 .github/workflows/github-page.yml | 2 +-
 .github/workflows/preview.yml     | 2 +-
 .github/workflows/quality.yml     | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/github-page.yml b/.github/workflows/github-page.yml
index ae2b6b0..da573b2 100644
--- a/.github/workflows/github-page.yml
+++ b/.github/workflows/github-page.yml
@@ -33,7 +33,7 @@ jobs:
           npm run build
 
       - name: Deploy GitHub Page 🚀
-        uses: JamesIves/github-pages-deploy-action@releases/v4
+        uses: JamesIves/github-pages-deploy-action@800bbc83122db9d4c38fcd284782d5afe62e52df # releases/v4
         with:
           branch: gh-pages
           folder: dist
diff --git a/.github/workflows/preview.yml b/.github/workflows/preview.yml
index 3bf0d09..c870bd3 100644
--- a/.github/workflows/preview.yml
+++ b/.github/workflows/preview.yml
@@ -41,7 +41,7 @@ jobs:
           npm run build
 
       - name: Deploy preview
-        uses: rossjrw/pr-preview-action@v1
+        uses: rossjrw/pr-preview-action@ffa7509e91a3ec8dfc2e5536c4d5c1acdf7a6de9 # v1
         with:
           source-dir: dist
           preview-branch: gh-pages
diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml
index ba95777..ae946e6 100644
--- a/.github/workflows/quality.yml
+++ b/.github/workflows/quality.yml
@@ -39,4 +39,4 @@ jobs:
           npm test
 
       - name: Report Coverage
-        uses: davelosert/vitest-coverage-report-action@v2
+        uses: davelosert/vitest-coverage-report-action@3c50566c523e04813df28de8f7c48dd97d663f1c # v2