From 659d51f532c69dc437752ce46cc9dab7049bea58 Mon Sep 17 00:00:00 2001
From: John Bampton <jbampton@gmail.com>
Date: Wed, 18 Mar 2026 21:28:23 +1000
Subject: [PATCH] Pin workflow hashes

---
 .github/workflows/deploy.yml       | 6 ++++--
 .github/workflows/pre-commit.yml   | 6 +++---
 .github/workflows/super-linter.yml | 4 ++--
 .pre-commit-config.yaml            | 2 +-
 4 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index d39e9ed..c62a5e5 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -14,9 +14,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Setup Node.js (or other environment if needed)
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: 24
       - name: Install dependencies and build site
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index e0a0b57..44652de 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -11,15 +11,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          # Fetch all history so pre-commit can compare if needed
           fetch-depth: 0
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
           python-version: "3.x"
-          architecture: "x64" # optional x64 or x86. Defaults to x64 if not specified
+          architecture: "x64"
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml
index b2e052b..1a82047 100644
--- a/.github/workflows/super-linter.yml
+++ b/.github/workflows/super-linter.yml
@@ -13,14 +13,14 @@ jobs:
       contents: read
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           # super-linter needs the full git history to get the
           # list of files that changed across commits
           fetch-depth: 0
           persist-credentials: false
       - name: Super-Linter
-        uses: super-linter/super-linter@v8.5.0
+        uses: super-linter/super-linter@61abc07d755095a68f4987d1c2c3d1d64408f1f9 # v8.5.0
         env:
           ERROR_ON_MISSING_EXEC_BIT: true
           VALIDATE_EDITORCONFIG: true
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index a0894f9..2a11c4b 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -2,7 +2,7 @@ default_stages: [pre-commit, pre-push]
 minimum_prek_version: "0.2.22"
 default_language_version:
   python: python3
-  node: 24.13.0
+  node: 24.14.0
 exclude: |
   (?x)^(
     \.git/|