From b1fe658d3933c79dc32631573a1f58ec951cbc27 Mon Sep 17 00:00:00 2001
From: Alexander Brandes <mc.cache@web.de>
Date: Sat, 4 Oct 2025 22:11:58 +0200
Subject: [PATCH] Prefer using the SHA of third party actions (#11154)

---
 .github/workflows/changelog.yml               | 4 ++--
 .github/workflows/label-conflicting-pr.yml    | 2 +-
 .github/workflows/require-changelog-label.yml | 2 +-
 .github/workflows/run-since-updater.yml       | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
index f078dabe06..2601b99e58 100644
--- a/.github/workflows/changelog.yml
+++ b/.github/workflows/changelog.yml
@@ -24,7 +24,7 @@ jobs:
       # Drafts your next Release notes as Pull Requests are merged into "master"
       - name: Generate GitHub Release Draft
         id: release-drafter
-        uses: release-drafter/release-drafter@v6
+        uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       # Generates a YAML changelog file using https://github.com/jenkinsci/jenkins-core-changelog-generator
@@ -44,7 +44,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository_owner == 'jenkinsci'
     steps:
-      - uses: tibdex/github-app-token@v2
+      - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
         id: generate-token
         with:
           app_id: ${{ secrets.JENKINS_CHANGELOG_UPDATER_APP_ID }}
diff --git a/.github/workflows/label-conflicting-pr.yml b/.github/workflows/label-conflicting-pr.yml
index d03c89f5d7..1e05a18136 100644
--- a/.github/workflows/label-conflicting-pr.yml
+++ b/.github/workflows/label-conflicting-pr.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Label conflicting PRs
-        uses: eps1lon/actions-label-merge-conflict@v3.0.3
+        uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3
         with:
           dirtyLabel: "unresolved-merge-conflict"
           repoToken: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/require-changelog-label.yml b/.github/workflows/require-changelog-label.yml
index a29ac893c2..713d4cd0f3 100644
--- a/.github/workflows/require-changelog-label.yml
+++ b/.github/workflows/require-changelog-label.yml
@@ -12,7 +12,7 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-      - uses: mheap/github-action-required-labels@8afbe8ae6ab7647d0c9f0cfa7c2f939650d22509 # v5
+      - uses: mheap/github-action-required-labels@fb29a14a076b0f74099f6198f77750e8fc236016 # v5.5.0
         with:
           mode: minimum
           count: 1
diff --git a/.github/workflows/run-since-updater.yml b/.github/workflows/run-since-updater.yml
index 0b097bedbc..4040b0b859 100644
--- a/.github/workflows/run-since-updater.yml
+++ b/.github/workflows/run-since-updater.yml
@@ -29,7 +29,7 @@ jobs:
         id: run_script
         shell: bash
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: Fill in since annotations