From 598e03862b115494cb764820f17b49fde322ffae Mon Sep 17 00:00:00 2001
From: Semgrep Autofix <autofix@semgrep.com>
Date: Fri, 20 Mar 2026 13:01:53 +0000
Subject: [PATCH 1/2] chore: Pin release-please-action to full commit SHA

Pin the googleapis/release-please-action to a full commit SHA for improved supply chain security.

## Changes
- Updated `googleapis/release-please-action@v4` to use full commit SHA `7987652d64b4f86e094c6b42e1f2e99a6e019e3a` (v4.1.3)
- Added version comment for maintainability

## Why
Pinning GitHub Actions to a full commit SHA is a security best practice. Version tags like `v4` are mutable and can be updated by the repository owner at any time. By pinning to a specific commit SHA, we ensure the action code cannot change unexpectedly, mitigating the risk of supply chain attacks where a bad actor could inject malicious code into a tagged release.

## Semgrep Finding Details
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

@pkaeding@launchdarkly.com requested Semgrep Assistant generate this pull request to fix [a finding](https://semgrep.dev/orgs/launchdarkly/findings/726909399).
---
 .github/workflows/release-please.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index bd5e49a..cdf491c 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -19,7 +19,7 @@ jobs:
           - 6379:6379
 
     steps:
-      - uses: googleapis/release-please-action@v4
+      - uses: googleapis/release-please-action@7987652d64b4f86e094c6b42e1f2e99a6e019e3a # v4.1.3
         id: release
 
       - uses: actions/checkout@v4

From c3e7e742b2a85b3b567069c60cf2df82d79c0962 Mon Sep 17 00:00:00 2001
From: "Matthew M. Keeler" <mkeeler@launchdarkly.com>
Date: Mon, 23 Mar 2026 09:21:27 -0400
Subject: [PATCH 2/2] Apply suggestion from @keelerm84

---
 .github/workflows/release-please.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index cdf491c..4419ccb 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -19,7 +19,7 @@ jobs:
           - 6379:6379
 
     steps:
-      - uses: googleapis/release-please-action@7987652d64b4f86e094c6b42e1f2e99a6e019e3a # v4.1.3
+      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
         id: release
 
       - uses: actions/checkout@v4