From 9762691e7740736f3058a487d8b7e123f03e6ae6 Mon Sep 17 00:00:00 2001
From: Chris Nyhuis <cnyhuis@vigilantnow.com>
Date: Wed, 25 Mar 2026 23:42:15 -0400
Subject: [PATCH] fix: pin 5 unpinned action(s)

Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard).

Changes:
 .github/workflows/continuous.yaml        | 2 +-
 .github/workflows/discovery.yaml         | 2 +-
 .github/workflows/presubmit.yaml         | 2 +-
 .github/workflows/update-api-list.yaml   | 2 +-
 .github/workflows/windows-presubmit.yaml | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)
---
 .github/workflows/continuous.yaml        | 2 +-
 .github/workflows/discovery.yaml         | 2 +-
 .github/workflows/presubmit.yaml         | 2 +-
 .github/workflows/update-api-list.yaml   | 2 +-
 .github/workflows/windows-presubmit.yaml | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/continuous.yaml b/.github/workflows/continuous.yaml
index 444097bc876..1b3744772dc 100644
--- a/.github/workflows/continuous.yaml
+++ b/.github/workflows/continuous.yaml
@@ -11,7 +11,7 @@ jobs:
         node: [18, 20, 22]
     steps:
       - uses: actions/checkout@v6
-      - uses: pnpm/action-setup@v4
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4
         with:
           version: ^7.0.0
       - run: node --version
diff --git a/.github/workflows/discovery.yaml b/.github/workflows/discovery.yaml
index d1fdfcbda0c..e8ec237e7aa 100644
--- a/.github/workflows/discovery.yaml
+++ b/.github/workflows/discovery.yaml
@@ -18,7 +18,7 @@ jobs:
       # Fix formatting
       - run: cd handwritten/bigquery && npm run fix
       # Submit pull request
-      - uses: googleapis/code-suggester@v5
+      - uses: googleapis/code-suggester@f9fef85aa02459e30e62526abe950341cbbd768b # v5
         env:
           ACCESS_TOKEN: ${{ secrets.YOSHI_CODE_BOT_TOKEN }}
         with:
diff --git a/.github/workflows/presubmit.yaml b/.github/workflows/presubmit.yaml
index 9c37deef21d..18c710c2410 100644
--- a/.github/workflows/presubmit.yaml
+++ b/.github/workflows/presubmit.yaml
@@ -15,7 +15,7 @@ jobs:
         uses: actions/setup-node@v6
         with:
           node-version: ${{ matrix.node-version }}
-      - uses: pnpm/action-setup@v4
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4
         with:
           version: ^10.0.0
       - run: node --version
diff --git a/.github/workflows/update-api-list.yaml b/.github/workflows/update-api-list.yaml
index 2e8511b0421..55009be8cd7 100644
--- a/.github/workflows/update-api-list.yaml
+++ b/.github/workflows/update-api-list.yaml
@@ -15,7 +15,7 @@ jobs:
       - run: npm run generate
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - uses: googleapis/code-suggester@v5
+      - uses: googleapis/code-suggester@f9fef85aa02459e30e62526abe950341cbbd768b # v5
         env:
           ACCESS_TOKEN: ${{ secrets.YOSHI_CODE_BOT_TOKEN }}
         with:
diff --git a/.github/workflows/windows-presubmit.yaml b/.github/workflows/windows-presubmit.yaml
index 624c0f32a7c..1d02f89c241 100644
--- a/.github/workflows/windows-presubmit.yaml
+++ b/.github/workflows/windows-presubmit.yaml
@@ -15,7 +15,7 @@ jobs:
         uses: actions/setup-node@v6
         with:
           node-version: ${{ matrix.node-version }}
-      - uses: pnpm/action-setup@v4
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4
         with:
           version: ^10.0.0
       - run: node --version