From 53c64422bc9cf5d08fc04c0fe26cf8853f2c2662 Mon Sep 17 00:00:00 2001
From: Julien Doutre <36448022+juliendoutre@users.noreply.github.com>
Date: Mon, 16 Mar 2026 14:20:34 +0100
Subject: [PATCH] Pin GitHub Actions

---
 .github/workflows/build.yml            |  8 ++++----
 .github/workflows/build_layer.yml      |  4 ++--
 .github/workflows/codeql-analysis.yml  |  8 ++++----
 .github/workflows/system_tests.yml     |  4 ++--
 .github/workflows/update-snapshots.yml | 10 +++++-----
 .github/workflows/update_deps.yml      |  6 +++---
 6 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 787b5da36..f175c33fe 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -14,10 +14,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Set up Python
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@3542bca2639a428e1796aaa6a2ffef0c0f575566 # v3.1.4
         with:
           python-version: 3.9
 
@@ -47,10 +47,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1
         with:
           python-version: ${{ matrix.python-version }}
 
diff --git a/.github/workflows/build_layer.yml b/.github/workflows/build_layer.yml
index e21f16336..ba00275f6 100644
--- a/.github/workflows/build_layer.yml
+++ b/.github/workflows/build_layer.yml
@@ -19,7 +19,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Download ddtrace Wheel
         id: find-ddtrace-wheel
@@ -40,7 +40,7 @@ jobs:
           ARCH=${{ matrix.arch }} PYTHON_VERSION=${{ matrix.python_version }} DD_TRACE_WHEEL="${{ steps.find-ddtrace-wheel.outputs.wheel_path }}" ./scripts/build_layers.sh
 
       - name: Upload layer artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           path: .layers/datadog_lambda_py-${{ matrix.arch }}-${{ matrix.python_version }}.zip
           name: datadog-lambda-python-${{ matrix.python_version }}-${{ matrix.arch }}
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 985f09f22..80cb39738 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -38,11 +38,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -53,7 +53,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -67,4 +67,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1
diff --git a/.github/workflows/system_tests.yml b/.github/workflows/system_tests.yml
index 49e7bf052..f3e69864a 100644
--- a/.github/workflows/system_tests.yml
+++ b/.github/workflows/system_tests.yml
@@ -12,13 +12,13 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Build layer
         run: |
           ARCH=amd64 PYTHON_VERSION=3.13 ./scripts/build_layers.sh
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           path: .layers/datadog_lambda_py-amd64-3.13.zip
           name: binaries
diff --git a/.github/workflows/update-snapshots.yml b/.github/workflows/update-snapshots.yml
index 81e0c5394..0ac1f3ba3 100644
--- a/.github/workflows/update-snapshots.yml
+++ b/.github/workflows/update-snapshots.yml
@@ -8,22 +8,22 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Set up Node 14
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1
         with:
           node-version: 14
 
       - name: Cache Node modules
         id: cache-node-modules
-        uses: actions/cache@v3
+        uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0
         with:
           path: "**/node_modules"
           key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }}
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1
         with:
           python-version: 3.9
 
@@ -67,7 +67,7 @@ jobs:
         run: ./scripts/run_integration_tests.sh
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v3
+        uses: peter-evans/create-pull-request@18f7dc018cc2cd597073088f7c7591b9d1c02672 # v3.14.0
         with:
           commit-message: update snapshots
           title: Update Snapshots
diff --git a/.github/workflows/update_deps.yml b/.github/workflows/update_deps.yml
index 15a3ac665..d76f96cb5 100644
--- a/.github/workflows/update_deps.yml
+++ b/.github/workflows/update_deps.yml
@@ -18,12 +18,12 @@ jobs:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           token: ${{ steps.generate_token.outputs.token }}
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1
         with:
           python-version: 3.13
 
@@ -33,7 +33,7 @@ jobs:
           poetry update
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v3
+        uses: peter-evans/create-pull-request@18f7dc018cc2cd597073088f7c7591b9d1c02672 # v3.14.0
         with:
           token: ${{ steps.generate_token.outputs.token }}
           commit-message: update dependencies