From 09858e94e20d7a5f7d87f9eacf97b63f85230773 Mon Sep 17 00:00:00 2001
From: "Garen J. Torikian" <gjtorikian@users.noreply.github.com>
Date: Thu, 26 Feb 2026 14:20:27 -0500
Subject: [PATCH] Pin GitHub Actions

---
 .github/workflows/lint-pr-title.yml  | 2 +-
 .github/workflows/main.yml           | 8 ++++----
 .github/workflows/release-please.yml | 6 +++---
 .vscode/settings.json                | 5 +++++
 4 files changed, 13 insertions(+), 8 deletions(-)
 create mode 100644 .vscode/settings.json

diff --git a/.github/workflows/lint-pr-title.yml b/.github/workflows/lint-pr-title.yml
index 83867c4..fad904d 100644
--- a/.github/workflows/lint-pr-title.yml
+++ b/.github/workflows/lint-pr-title.yml
@@ -15,6 +15,6 @@ jobs:
     name: Validate PR title
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@v5
+      - uses: amannn/action-semantic-pull-request@e32d7e603df1aa1ba07e981f2a23455dee596825 # v5
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 8847975..58b36af 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -32,7 +32,7 @@ jobs:
 
     steps:
     - name: Check out this repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
     - name: Setup Elixir and Erlang
       uses: erlef/setup-beam@5304e04ea2b355f03681464e683d92e3b2f18451 # v1.18.2
@@ -43,7 +43,7 @@ jobs:
     # We need to manually restore and then save, so that we can save the "_build" directory
     # *without* the Elixir compiled code in it.
     - name: Restore Mix dependencies cache
-      uses: actions/cache/restore@v3
+      uses: actions/cache/restore@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0
       id: mix-deps-cache
       with:
         path: |
@@ -59,7 +59,7 @@ jobs:
       run: mix do deps.get, deps.compile
 
     - name: Save Mix dependencies cache
-      uses: actions/cache/save@v3
+      uses: actions/cache/save@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0
       if: steps.mix-deps-cache.outputs.cache-hit != 'true'
       with:
         path: |
@@ -84,7 +84,7 @@ jobs:
       run: mix test
 
     - name: Retrieve PLT Cache
-      uses: actions/cache@v3
+      uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0
       if: matrix.dialyzer
       id: plt-cache
       with:
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index b4377af..967fbd6 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -18,12 +18,12 @@ jobs:
     steps:
       - name: Generate token
         id: generate-token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
         with:
           app-id: ${{ vars.SDK_BOT_APP_ID }}
           private-key: ${{ secrets.SDK_BOT_PRIVATE_KEY }}
 
-      - uses: googleapis/release-please-action@v4
+      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
         id: release
         with:
           token: ${{ steps.generate-token.outputs.token }}
@@ -37,7 +37,7 @@ jobs:
       contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Setup Elixir and Erlang
         uses: erlef/setup-beam@5304e04ea2b355f03681464e683d92e3b2f18451 # v1.18.2
diff --git a/.vscode/settings.json b/.vscode/settings.json
new file mode 100644
index 0000000..6a171bf
--- /dev/null
+++ b/.vscode/settings.json
@@ -0,0 +1,5 @@
+{
+    "[github-actions-workflow]": {
+        "editor.defaultFormatter": "redhat.vscode-yaml"
+    }
+}