From b293830ad98305966fd5c990d545bb0674689443 Mon Sep 17 00:00:00 2001
From: OpenAI Codex <codex@openai.com>
Date: Mon, 13 Apr 2026 12:41:11 -0700
Subject: [PATCH] chore: pin GitHub Actions

---
 .github/workflows/promptfoo-code-scan.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/promptfoo-code-scan.yml b/.github/workflows/promptfoo-code-scan.yml
index 10b3d61..a0b28d3 100644
--- a/.github/workflows/promptfoo-code-scan.yml
+++ b/.github/workflows/promptfoo-code-scan.yml
@@ -14,12 +14,12 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
 
       - name: Run Promptfoo Code Scan
-        uses: promptfoo/code-scan-action@v0
+        uses: promptfoo/code-scan-action@c4839dcb8623ca031ee6d271c7850dc71d994dd3 # v0
         with:
           min-severity: medium
           guidance: |
@@ -37,7 +37,7 @@ jobs:
 
     steps:
       - name: Wait for all PR checks to succeed
-        uses: promptfoo/.github/.github/actions/ci-success@main
+        uses: promptfoo/.github/.github/actions/ci-success@06453faf6e513174f5ee0b340bac7cdfa41bf437 # main
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           timeout-seconds: 300