From d5a574230ae10d18aa0f51ea343970de1f97285f Mon Sep 17 00:00:00 2001
From: Patrick Kaeding <pkaeding@launchdarkly.com>
Date: Wed, 25 Mar 2026 12:56:16 -0400
Subject: [PATCH 1/3] [SEC-7924] chore: pin third-party GitHub Actions to
 commit SHAs

Pin all third-party GitHub Actions to full-length commit SHAs to prevent
supply chain attacks. Addresses findings from the
third-party-action-not-pinned-to-commit-sha Semgrep rule.
---
 .github/actions/ci/action.yml             | 2 +-
 .github/workflows/ci.yml                  | 2 +-
 .github/workflows/manual-publish-docs.yml | 2 +-
 .github/workflows/release-please.yml      | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/actions/ci/action.yml b/.github/actions/ci/action.yml
index 155bb44..a148b3e 100644
--- a/.github/actions/ci/action.yml
+++ b/.github/actions/ci/action.yml
@@ -8,7 +8,7 @@ inputs:
 runs:
   using: composite
   steps:
-    - uses: ruby/setup-ruby@v1
+    - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
       with:
         ruby-version: ${{ inputs.ruby-version }}
 
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 638d607..4aa469a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -43,7 +43,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
         with:
           ruby-version: 3.4
 
diff --git a/.github/workflows/manual-publish-docs.yml b/.github/workflows/manual-publish-docs.yml
index de018bb..177372a 100644
--- a/.github/workflows/manual-publish-docs.yml
+++ b/.github/workflows/manual-publish-docs.yml
@@ -11,7 +11,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
         with:
           ruby-version: 3.1
 
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index f7f13ab..06cb7f2 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -17,7 +17,7 @@ jobs:
       upload-tag-name: ${{ steps.release.outputs.tag_name }}
       gem-hash: ${{ steps.publish.outputs.gem-hash}}
     steps:
-      - uses: googleapis/release-please-action@v4
+      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4
         id: release
 
       - uses: actions/checkout@v4

From 12e5cd3c6eef363def5c6638789cd74b1dae44d9 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Mon, 30 Mar 2026 16:36:28 +0000
Subject: [PATCH 2/3] chore: use fully qualified version for
 release-please-action comment

Co-Authored-By: rlamb@launchdarkly.com <4955475+kinyoklion@users.noreply.github.com>
---
 .github/workflows/release-please.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 06cb7f2..f865d71 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -17,7 +17,7 @@ jobs:
       upload-tag-name: ${{ steps.release.outputs.tag_name }}
       gem-hash: ${{ steps.publish.outputs.gem-hash}}
     steps:
-      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4
+      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
         id: release
 
       - uses: actions/checkout@v4

From f344d4e2f14ff3c1bb992ecd00b453c58e87d071 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Mon, 30 Mar 2026 16:57:48 +0000
Subject: [PATCH 3/3] chore: update ruby/setup-ruby to v1.299.0

Co-Authored-By: rlamb@launchdarkly.com <4955475+kinyoklion@users.noreply.github.com>
---
 .github/actions/ci/action.yml             | 2 +-
 .github/workflows/ci.yml                  | 2 +-
 .github/workflows/manual-publish-docs.yml | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/actions/ci/action.yml b/.github/actions/ci/action.yml
index a148b3e..1a6bc97 100644
--- a/.github/actions/ci/action.yml
+++ b/.github/actions/ci/action.yml
@@ -8,7 +8,7 @@ inputs:
 runs:
   using: composite
   steps:
-    - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
+    - uses: ruby/setup-ruby@3ff19f5e2baf30647122352b96108b1fbe250c64 # v1.299.0
       with:
         ruby-version: ${{ inputs.ruby-version }}
 
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4aa469a..3d7a5aa 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -43,7 +43,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
+      - uses: ruby/setup-ruby@3ff19f5e2baf30647122352b96108b1fbe250c64 # v1.299.0
         with:
           ruby-version: 3.4
 
diff --git a/.github/workflows/manual-publish-docs.yml b/.github/workflows/manual-publish-docs.yml
index 177372a..6b1c587 100644
--- a/.github/workflows/manual-publish-docs.yml
+++ b/.github/workflows/manual-publish-docs.yml
@@ -11,7 +11,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
+      - uses: ruby/setup-ruby@3ff19f5e2baf30647122352b96108b1fbe250c64 # v1.299.0
         with:
           ruby-version: 3.1