From ff2f7cd9dc6c4acbc8eca2acfcb8b5d25ec388e9 Mon Sep 17 00:00:00 2001
From: Shay Goldstein <shay_goldstein@mckinsey.com>
Date: Wed, 13 May 2026 18:29:05 +0300
Subject: [PATCH] CEML-709: Pin GitHub Actions to immutable commit SHAs

Mutable version tags (e.g. @v4) can be force-pushed to point to a
different commit, opening a supply-chain attack vector. Replace all four
unpinned action references with the commit SHA each tag currently resolves
to, preserving the tag as a trailing comment for readability.

Resolves CEML-709

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 .github/workflows/demos_notebook_tests.yml | 2 +-
 .github/workflows/pr-validation.yml        | 2 +-
 .github/workflows/release.yml              | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/demos_notebook_tests.yml b/.github/workflows/demos_notebook_tests.yml
index a03edaa6..c28a0dcb 100644
--- a/.github/workflows/demos_notebook_tests.yml
+++ b/.github/workflows/demos_notebook_tests.yml
@@ -15,7 +15,7 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v2
+      uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 #v2
     - name: Extract private key
       run: echo "${{ secrets.TEST_SYSTEM_MLRUN_PEM }}" > mlrun.pem
     - name: Set permissions on key
diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml
index 28673fa7..f87bf0e3 100644
--- a/.github/workflows/pr-validation.yml
+++ b/.github/workflows/pr-validation.yml
@@ -15,7 +15,7 @@ jobs:
 
     steps:
       - name: Validate PR title and assign label
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b #v7
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
           script: |
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 06474636..4426bb02 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -25,7 +25,7 @@ jobs:
           fi
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #v4
         with:
           fetch-depth: 0
 
@@ -101,7 +101,7 @@ jobs:
 
       - name: Generate release notes with git-cliff
         if: steps.version_check.outputs.is_rc == 'false'
-        uses: orhun/git-cliff-action@v4
+        uses: orhun/git-cliff-action@f50e11560dce63f7c33227798f90b924471a88b5 #v4
         with:
           config: cliff.toml
           args: >-