From c94154fe0126d2aef7eda808d51407af1fa8bc54 Mon Sep 17 00:00:00 2001
From: RyanH-STFC <Ryan.haigh@stfc.ac.uk>
Date: Wed, 22 Apr 2026 10:51:26 +0100
Subject: [PATCH] Change all tags from workflows to pinned SHAs

- Change all of the tags in the repo to pinned SHAs as it is best
  practice as a defence against supply chain attacks
---
 .github/workflows/black.yml      | 4 ++--
 .github/workflows/codeql.yml     | 6 +++---
 .github/workflows/pylint.yml     | 4 ++--
 .github/workflows/unit_tests.yml | 6 +++---
 4 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/black.yml b/.github/workflows/black.yml
index 128775870..fd66d98b0 100644
--- a/.github/workflows/black.yml
+++ b/.github/workflows/black.yml
@@ -6,5 +6,5 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: psf/black@stable
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: psf/black@c6755bb741b6481d6b3d3bb563c83fa060db96c9
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index bfc7e9e3f..88d943df0 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -56,11 +56,11 @@ jobs:
         # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
+      uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
@@ -72,6 +72,6 @@ jobs:
         # queries: security-extended,security-and-quality
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4
+      uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13
       with:
         category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/pylint.yml b/.github/workflows/pylint.yml
index 445d70702..ec7c206cf 100644
--- a/.github/workflows/pylint.yml
+++ b/.github/workflows/pylint.yml
@@ -9,9 +9,9 @@ jobs:
       matrix:
         python-version: ["3.10", "3.11", "3.x"]
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies
diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml
index 5a097c589..cdaffdc66 100644
--- a/.github/workflows/unit_tests.yml
+++ b/.github/workflows/unit_tests.yml
@@ -13,9 +13,9 @@ jobs:
       matrix:
         python-version: ["3.10", "3.11"]
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install ST2 Test Runner
@@ -30,7 +30,7 @@ jobs:
         run: cd $GITHUB_WORKSPACE && ./run_tests.sh && coverage xml
 
       - name: Submit Coverage
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de
         with:
           fail_ci_if_error: true
           token: ${{secrets.CODECOV_TOKEN}}