From 7ab33447afb9d4315e3bb5ea7980877729cffbf9 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Wed, 1 Apr 2026 20:31:09 +0000
Subject: [PATCH] chore(deps): pin dependencies

---
 .github/actions/security-scans/action.yml | 2 +-
 .github/workflows/bake_targets.yml        | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/actions/security-scans/action.yml b/.github/actions/security-scans/action.yml
index 96a7bf2f..f39cd2b7 100644
--- a/.github/actions/security-scans/action.yml
+++ b/.github/actions/security-scans/action.yml
@@ -38,7 +38,7 @@ runs:
         accept-filenames: usr/share/postgresql-common/pgdg/apt.postgresql.org.asc,etc/ssl/private/ssl-cert-snakeoil.key,usr/local/lib/python3.9/dist-packages/azure/core/settings.py,usr/local/lib/python3.11/dist-packages/azure/core/settings.py,usr/local/lib/python3.13/dist-packages/azure/core/settings.py
 
     - name: Snyk
-      uses: snyk/actions/docker@master
+      uses: snyk/actions/docker@9adf32b1121593767fc3c057af55b55db032dc04 # master
       id: snyk
       if: ${{ inputs.snyk_token != '' }}
       # Snyk can be used to break the build when it detects vulnerabilities.
diff --git a/.github/workflows/bake_targets.yml b/.github/workflows/bake_targets.yml
index 4c2efed1..d6b78af0 100644
--- a/.github/workflows/bake_targets.yml
+++ b/.github/workflows/bake_targets.yml
@@ -154,7 +154,7 @@ jobs:
       - name: Security checks
         # NOTE: Do not modify this to point to the local action "./.github/actions/security-scans",
         # as it will break workflows running bake_targets.yml (this workflow) from external repositories.
-        uses: cloudnative-pg/postgres-containers/.github/actions/security-scans@main
+        uses: cloudnative-pg/postgres-containers/.github/actions/security-scans@bae348761f622c2b49eed47d07bfeb2f0ed0342a # main
         with:
           image: "${{ matrix.image }}"
           registry_user: ${{ github.actor }}
@@ -180,7 +180,7 @@ jobs:
       - name: Copy to production
         # NOTE: Do not modify this to point to the local action "./.github/actions/copy-images",
         # as it will break workflows running bake_targets.yml (this workflow) from external repositories.
-        uses: cloudnative-pg/postgres-containers/.github/actions/copy-images@main
+        uses: cloudnative-pg/postgres-containers/.github/actions/copy-images@bae348761f622c2b49eed47d07bfeb2f0ed0342a # main
         with:
           bake_build_metadata: "${{ needs.testbuild.outputs.metadata }}"
           registry_user: ${{ github.actor }}