From 3ca6c299d68fca85b7f69a7d4c9009334d80177b Mon Sep 17 00:00:00 2001
From: Juan Camilo <juancamilo.auriti@gmail.com>
Date: Thu, 2 Apr 2026 09:46:16 +0200
Subject: [PATCH] security: pin GitHub Actions to immutable SHA digests

Pin all GitHub Actions to commit SHA instead of mutable version tags
to prevent supply chain attacks via tag poisoning. This is especially
important for third-party actions like oven-sh/setup-bun.
---
 .github/workflows/pr-checks.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
index 1b2bba1b..34580f4d 100644
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -12,15 +12,15 @@ jobs:
 
     steps:
       - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 22
 
       - name: Set up Bun
-        uses: oven-sh/setup-bun@v2
+        uses: oven-sh/setup-bun@4bc047ad259df6fc24a6c9b0f9a0cb08cf17fbe5 # v2.0.1
         with:
           bun-version: 1.3.11