ci(security): pin 3rd-party actions to commit SHAs (CodeQL actions/unpinned-tag)

glennawatson · glennawatson · commit b2bab06bc308 · 2026-05-23T19:09:14.000+10:00
Pin NuGet/login -&gt; v1.2.0 (8d19675) and dessant/lock-threads -&gt; v6.0.2
(89ae32b) to commit SHAs with version comments, resolving the CodeQL
unpinned-tag alerts. Renovate updates them via the version comments.
diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml
@@ -16,7 +16,7 @@ jobs:
   action:
     runs-on: ubuntu-latest
     steps:
-      - uses: dessant/lock-threads@v6
+      - uses: dessant/lock-threads@89ae32b08ed1a541efecbab17912962a5e38981c # v6.0.2
         with:
           github-token: ${{ github.token }}
           issue-inactive-days: '14'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -45,7 +45,7 @@ jobs:
 
       - name: NuGet login (OIDC trusted publishing)
         id: nuget-login
-        uses: NuGet/login@v1
+        uses: NuGet/login@8d196754b4036150537f80ac539e15c2f1028841 # v1.2.0
         with:
           user: ${{ secrets.NUGET_USER }}
 
