From 717c6c435af5e1a01e050566105396044ce00a8b Mon Sep 17 00:00:00 2001
From: Xueqin Cui <cuixq@google.com>
Date: Wed, 4 Mar 2026 12:47:29 +1100
Subject: [PATCH 1/2] pin actions

---
 .github/workflows/auto_import.yaml |  6 +++---
 .github/workflows/automation.yaml  | 10 +++++-----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/auto_import.yaml b/.github/workflows/auto_import.yaml
index 0be48ec7..9ca86b56 100644
--- a/.github/workflows/auto_import.yaml
+++ b/.github/workflows/auto_import.yaml
@@ -9,8 +9,8 @@ jobs:
     name: Auto import
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-go@v2
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
       with:
         go-version: '^1.16.4'
     - run: |
@@ -21,7 +21,7 @@ jobs:
           wget https://storage.googleapis.com/cve-osv-conversion/nvd/nvdcve-2.0-$year.json;
         done
     - run: |
-        go install github.com/google/osv/vulnfeeds/cmd/pypi@master
+        go install github.com/google/osv/vulnfeeds/cmd/pypi@9d246b44e61fbcb7586686722c8ad9ea579d3427 # master
         for nvdfile in nvdcve-2.0-*.json; do
           pypi -false_positives triage/false_positives.yaml \
                -nvd_json $nvdfile \
diff --git a/.github/workflows/automation.yaml b/.github/workflows/automation.yaml
index 31b3fcb0..3412aae9 100644
--- a/.github/workflows/automation.yaml
+++ b/.github/workflows/automation.yaml
@@ -12,10 +12,10 @@ jobs:
     name: Analysis
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         fetch-depth: 64
-    - uses: google/osv/actions/analyze@master
+    - uses: google/osv/actions/analyze@9d246b44e61fbcb7586686722c8ad9ea579d3427 # master
       with:
         analyze-git: false
         pr-base: HEAD~63
@@ -32,12 +32,12 @@ jobs:
     name: Assign IDs
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-go@v2
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
       with:
         go-version: '^1.16.4'
     - run: |
-        go install github.com/google/osv/vulnfeeds/cmd/ids@latest
+        go install github.com/google/osv/vulnfeeds/cmd/ids@9d246b44e61fbcb7586686722c8ad9ea579d3427 # master
         ids -dir=./vulns -prefix PYSEC
         git config user.name github-actions
         git config user.email github-actions@github.com

From 197ede4ddeaf628476738695234f219957e1039a Mon Sep 17 00:00:00 2001
From: Xueqin Cui <cuixq@google.com>
Date: Wed, 4 Mar 2026 17:14:26 +1100
Subject: [PATCH 2/2] update OSV hashes

---
 .github/workflows/auto_import.yaml | 2 +-
 .github/workflows/automation.yaml  | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/auto_import.yaml b/.github/workflows/auto_import.yaml
index 9ca86b56..5d2ddb46 100644
--- a/.github/workflows/auto_import.yaml
+++ b/.github/workflows/auto_import.yaml
@@ -21,7 +21,7 @@ jobs:
           wget https://storage.googleapis.com/cve-osv-conversion/nvd/nvdcve-2.0-$year.json;
         done
     - run: |
-        go install github.com/google/osv/vulnfeeds/cmd/pypi@9d246b44e61fbcb7586686722c8ad9ea579d3427 # master
+        go install github.com/google/osv/vulnfeeds/cmd/pypi@4fcedbd3c18bbfefb5bae7c854a7af5e30cc3321 # master
         for nvdfile in nvdcve-2.0-*.json; do
           pypi -false_positives triage/false_positives.yaml \
                -nvd_json $nvdfile \
diff --git a/.github/workflows/automation.yaml b/.github/workflows/automation.yaml
index 3412aae9..dc2319e5 100644
--- a/.github/workflows/automation.yaml
+++ b/.github/workflows/automation.yaml
@@ -15,7 +15,7 @@ jobs:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         fetch-depth: 64
-    - uses: google/osv/actions/analyze@9d246b44e61fbcb7586686722c8ad9ea579d3427 # master
+    - uses: google/osv/actions/analyze@4fcedbd3c18bbfefb5bae7c854a7af5e30cc3321 # master
       with:
         analyze-git: false
         pr-base: HEAD~63
@@ -37,7 +37,7 @@ jobs:
       with:
         go-version: '^1.16.4'
     - run: |
-        go install github.com/google/osv/vulnfeeds/cmd/ids@9d246b44e61fbcb7586686722c8ad9ea579d3427 # master
+        go install github.com/google/osv/vulnfeeds/cmd/ids@4fcedbd3c18bbfefb5bae7c854a7af5e30cc3321 # master
         ids -dir=./vulns -prefix PYSEC
         git config user.name github-actions
         git config user.email github-actions@github.com