Pin GitHub Actions to full commit SHAs with inline semver comments

Copilot · kingthorin · web-flow · commit 8bc4db609f81 · 2026-04-11T13:54:06.000Z
Agent-Logs-Url: https://github.com/OWASP/www-project-web-security-testing-guide/sessions/c1458b84-d3ee-4e38-856e-27c5b7a7e855 Co-authored-by: kingthorin <7570458+kingthorin@users.noreply.github.com>
diff --git a/.github/workflows/pr_comment.yml b/.github/workflows/pr_comment.yml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: PR Comment
-      uses: actions/github-script@v9
+      uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
       with:
         github-token: ${{secrets.GITHUB_TOKEN}}
         script: |
diff --git a/.github/workflows/validate-owasp-metadata.yaml b/.github/workflows/validate-owasp-metadata.yaml
@@ -21,7 +21,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Validate metadata file
         uses: owasp/nest-schema/.github/actions/validate@011b47d59567ae7cfd246948c67503ba2f6cc15b
