From 4913e87975de121aa7b47c29128ce9616d4cf106 Mon Sep 17 00:00:00 2001
From: Paillat-dev <paillat@pycord.dev>
Date: Thu, 4 Sep 2025 10:23:30 +0200
Subject: [PATCH 1/2] :lock: Pin lesser-known gh actions to commit shas to
 lower supply chain attack surface

---
 .github/workflows/pr-checks.yml   | 4 ++--
 .github/workflows/todo-checks.yml | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
index 683b3f3f70..0f68fd0cef 100644
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -17,7 +17,7 @@ jobs:
     name: "Check PR Dependencies"
     steps:
       - name: PR Dependency Check
-        uses: gregsdennis/dependencies-action@v1.4.1
+        uses: gregsdennis/dependencies-action@ae6e0529ef70f1366a21972f40b1ad0e1b5e3218
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   semantic-title:
@@ -25,6 +25,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: "Check Semantic Pull Request"
-        uses: amannn/action-semantic-pull-request@v6.1.1
+        uses: amannn/action-semantic-pull-request@fdd4d3ddf614fbcd8c29e4b106d3bbe0cb2c605d
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/todo-checks.yml b/.github/workflows/todo-checks.yml
index dbba5f59cb..5c2b626f31 100644
--- a/.github/workflows/todo-checks.yml
+++ b/.github/workflows/todo-checks.yml
@@ -23,7 +23,7 @@ jobs:
       - name: "Checkout Repository"
         uses: actions/checkout@v5
       - name: "Track TODO Action"
-        uses: ribtoks/tdg-github-action@v0.4.15-beta
+        uses: ribtoks/tdg-github-action@bb998752af7ac294aa9350895908ae7eac3f1c1d
         with:
           TOKEN: ${{ secrets.GITHUB_TOKEN }}
           REPO: ${{ github.repository }}

From d3960b01620daa4416d4a7bc4bad4d4f90bd9a83 Mon Sep 17 00:00:00 2001
From: Paillat-dev <paillat@pycord.dev>
Date: Thu, 4 Sep 2025 10:26:32 +0200
Subject: [PATCH 2/2] :wrench: Add version comment for renovate to pick-up

---
 .github/workflows/pr-checks.yml   | 4 ++--
 .github/workflows/todo-checks.yml | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
index 0f68fd0cef..668d69bb0b 100644
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -17,7 +17,7 @@ jobs:
     name: "Check PR Dependencies"
     steps:
       - name: PR Dependency Check
-        uses: gregsdennis/dependencies-action@ae6e0529ef70f1366a21972f40b1ad0e1b5e3218
+        uses: gregsdennis/dependencies-action@ae6e0529ef70f1366a21972f40b1ad0e1b5e3218 # v1.4.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   semantic-title:
@@ -25,6 +25,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: "Check Semantic Pull Request"
-        uses: amannn/action-semantic-pull-request@fdd4d3ddf614fbcd8c29e4b106d3bbe0cb2c605d
+        uses: amannn/action-semantic-pull-request@fdd4d3ddf614fbcd8c29e4b106d3bbe0cb2c605d # v6.1.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/todo-checks.yml b/.github/workflows/todo-checks.yml
index 5c2b626f31..e8b1e7b5cf 100644
--- a/.github/workflows/todo-checks.yml
+++ b/.github/workflows/todo-checks.yml
@@ -23,7 +23,7 @@ jobs:
       - name: "Checkout Repository"
         uses: actions/checkout@v5
       - name: "Track TODO Action"
-        uses: ribtoks/tdg-github-action@bb998752af7ac294aa9350895908ae7eac3f1c1d
+        uses: ribtoks/tdg-github-action@bb998752af7ac294aa9350895908ae7eac3f1c1d # v0.4.15-beta
         with:
           TOKEN: ${{ secrets.GITHUB_TOKEN }}
           REPO: ${{ github.repository }}