From 53ef595c63984ee2af3c20d832e050a080182603 Mon Sep 17 00:00:00 2001
From: Mike Morris <mmorris35@users.noreply.github.com>
Date: Tue, 24 Mar 2026 22:31:47 -0700
Subject: [PATCH 1/2] ci: pin GitHub Actions to commit SHAs for supply chain
 security

---
 .github/workflows/deploy.yml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 88406e1..7aa65ba 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -15,10 +15,10 @@ jobs:
     if: github.ref != 'refs/heads/main'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: '20'
 
@@ -44,10 +44,10 @@ jobs:
     if: github.ref == 'refs/heads/main'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: '20'
 
@@ -55,6 +55,6 @@ jobs:
         run: npm ci
 
       - name: Deploy to Production
-        uses: cloudflare/wrangler-action@v3
+        uses: cloudflare/wrangler-action@da0e0dfe58b7a431659754fdf3f186c529afbe65 # v3
         with:
-          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
\ No newline at end of file

From 452f15e87acce41c353e5caea297a07b549659eb Mon Sep 17 00:00:00 2001
From: Mike Morris <mmorris35@users.noreply.github.com>
Date: Tue, 24 Mar 2026 22:31:54 -0700
Subject: [PATCH 2/2] ci: pin GitHub Actions to commit SHAs for supply chain
 security

---
 .github/workflows/reference-repo-updated.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/reference-repo-updated.yml b/.github/workflows/reference-repo-updated.yml
index cbb1848..4ba2ad3 100644
--- a/.github/workflows/reference-repo-updated.yml
+++ b/.github/workflows/reference-repo-updated.yml
@@ -28,7 +28,7 @@ jobs:
       new_hash: ${{ steps.compare.outputs.new_hash }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Fetch reference repo README
         id: fetch
@@ -85,10 +85,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Create or update sync issue
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           script: |
             const isDispatch = context.eventName === 'repository_dispatch';
@@ -173,7 +173,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Update stored hash
         run: |
@@ -191,4 +191,4 @@ jobs:
           else
             git commit -m "chore: update methodology content hash [skip ci]"
             git push
-          fi
+          fi
\ No newline at end of file