From 89e11bc533c07940ef336528d6fb96c7e0cc0137 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edgar=20Ram=C3=ADrez-Mondrag=C3=B3n?= <edgarrm358@gmail.com>
Date: Wed, 3 Sep 2025 22:40:11 -0600
Subject: [PATCH] Pin actions/cache

GitHub recently added support for requiring actions to be pinned to a
full-length commit SHA[^1].

Their changelog doesn't mention that composite actions also fail if
their own actions are not pinned, which is the case for this project.

Hope this makes sense. I didn't bump the versions, just added the commit
SHAs, using `pinact run`.

[^1]: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/
---
 .github/workflows/main.yml | 4 ++--
 action.yml                 | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 116a2d7..7f97d40 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -7,7 +7,7 @@ jobs:
   main:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
-    - uses: actions/setup-python@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+    - uses: actions/setup-python@3542bca2639a428e1796aaa6a2ffef0c0f575566 # v3.1.4
     - name: self test action
       uses: ./
diff --git a/action.yml b/action.yml
index 18ded0d..d332661 100644
--- a/action.yml
+++ b/action.yml
@@ -12,7 +12,7 @@ runs:
     shell: bash
   - run: python -m pip freeze --local
     shell: bash
-  - uses: actions/cache@v4
+  - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
     with:
       path: ~/.cache/pre-commit
       key: pre-commit-3|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }}