From 3df32f954ba402e0f3a6acb933fa60bbe4e4859c Mon Sep 17 00:00:00 2001
From: Kaiyi Li <kaiyi.li@shopify.com>
Date: Mon, 27 Apr 2026 11:28:14 -0700
Subject: [PATCH] pin github actions to SHAs

---
 .github/workflows/release.yml | 2 +-
 .github/workflows/snapit.yml  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9384f2a..b633767 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -29,7 +29,7 @@ jobs:
         run: npm install
 
       - name: Create Release Pull Request or Publish
-        uses: changesets/action@v1 # Must use latest version!
+        uses: changesets/action@6a0a831ff30acef54f2c6aa1cbbc1096b066edaf # v1
         with:
           publish: npx changeset publish
         env:
diff --git a/.github/workflows/snapit.yml b/.github/workflows/snapit.yml
index c47ab1b..dc11162 100644
--- a/.github/workflows/snapit.yml
+++ b/.github/workflows/snapit.yml
@@ -13,7 +13,7 @@ jobs:
     steps:
       - name: Checkout default branch
         uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v4
+      - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
         with:
           version: 10
       - name: Create snapshot version