From 039ba02fc2ea8bc6f585e42823815660004ad2a9 Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Sat, 18 Apr 2026 10:23:43 +1000
Subject: [PATCH 1/2] Hash pin GitHub Actions

---
 .github/workflows/build.yml | 2 +-
 .github/workflows/lint.yml  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5bbaec46..5a9f4acd 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -50,7 +50,7 @@ jobs:
             os: "ubuntu-24.04-arm"
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           submodules: true
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 499a51be..2f3bfbd7 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -16,7 +16,7 @@ jobs:
     name: Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - uses: j178/prek-action@v1

From e23bef81c1d4f64b8469a438cc8a143deef653a8 Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Sat, 18 Apr 2026 11:32:14 +0300
Subject: [PATCH 2/2] Hash pin GitHub Actions

---
 .github/workflows/build.yml | 2 +-
 .github/workflows/lint.yml  | 2 +-
 .github/zizmor.yml          | 6 ------
 3 files changed, 2 insertions(+), 8 deletions(-)
 delete mode 100644 .github/zizmor.yml

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5a9f4acd..ae4ed597 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -57,7 +57,7 @@ jobs:
 
       - name: Set up QEMU
         if: "matrix.qemu-arch"
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
         with:
           platforms: ${{ matrix.qemu-arch }}
 
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 2f3bfbd7..e160cd9f 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -19,4 +19,4 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: j178/prek-action@v1
+      - uses: j178/prek-action@cbc2f23eb5539cf20d82d1aabd0d0ecbcc56f4e3 # v2.0.2
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
deleted file mode 100644
index 10002656..00000000
--- a/.github/zizmor.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-# https://docs.zizmor.sh/configuration/
-rules:
-  unpinned-uses:
-    config:
-      policies:
-        "*": ref-pin