From 54054d65033369c3426dba32a3ac3a821c5f7fe8 Mon Sep 17 00:00:00 2001
From: irfanuddinahmad <iahmad@2u.com>
Date: Tue, 19 May 2026 09:57:36 +0500
Subject: [PATCH] chore: pin GitHub Actions workflows to full commit SHAs

---
 .github/workflows/detekt.yml                   | 6 +++---
 .github/workflows/unit_tests.yml               | 8 ++++----
 .github/workflows/validate-english-strings.yml | 4 ++--
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/detekt.yml b/.github/workflows/detekt.yml
index 0cee02ffe..214affc0d 100644
--- a/.github/workflows/detekt.yml
+++ b/.github/workflows/detekt.yml
@@ -15,10 +15,10 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Setup Java
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0
         with:
           distribution: 'temurin' # See 'Supported distributions' for available options
           java-version: '17'
@@ -27,7 +27,7 @@ jobs:
         run: ./gradlew detektAll
 
       - name: Upload report
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@458d36d7d4f47d0dd16ca424c1d3cda0060f1360 # v3.35.5
         if: success() || failure()
         with:
           sarif_file: build/reports/detekt/detekt.sarif
diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml
index 3d93935a0..fdea55638 100644
--- a/.github/workflows/unit_tests.yml
+++ b/.github/workflows/unit_tests.yml
@@ -22,18 +22,18 @@ jobs:
       cancel-in-progress: true
     steps:
       - name: ⏬ Checkout with LFS
-        uses: nschloe/action-cached-lfs-checkout@v1.2.1
+        uses: nschloe/action-cached-lfs-checkout@d6efedcb8fc03d006e1e77743718e26234ed2c97 # v1.2.1
         with:
           # Ensure we are building the branch and not the branch after being merged on develop
           # https://github.com/actions/checkout/issues/881
           ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.ref }}
       - name: ☕️ Use JDK 17
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3.14.1
         with:
           distribution: 'temurin' # See 'Supported distributions' for available options
           java-version: '17'
       - name: Configure gradle
-        uses: gradle/gradle-build-action@v2.6.1
+        uses: gradle/gradle-build-action@915a66c096a03101667f9df2e56c9efef558b165 # v2.6.1
         with:
           cache-read-only: ${{ github.ref != 'refs/heads/develop' }}
       - name: Generate mock files
@@ -42,7 +42,7 @@ jobs:
         run: ./gradlew testProdDebugUnitTest $CI_GRADLE_ARG_PROPERTIES
 
       - name: Upload reports
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: failure()
         with:
           name: failures
diff --git a/.github/workflows/validate-english-strings.yml b/.github/workflows/validate-english-strings.yml
index 43935b05e..a95d7e5a9 100644
--- a/.github/workflows/validate-english-strings.yml
+++ b/.github/workflows/validate-english-strings.yml
@@ -12,10 +12,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Use Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: 3.11