From bdcf15fd04954554a1b1686727462185452d0034 Mon Sep 17 00:00:00 2001
From: Chris Nyhuis <cnyhuis@vigilantnow.com>
Date: Thu, 26 Mar 2026 15:41:19 -0400
Subject: [PATCH] fix: pin 10 unpinned action(s)

Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard).

Changes:
 .github/workflows/build.yml               | 2 +-
 .github/workflows/documentation-links.yml | 2 +-
 .github/workflows/lint.yml                | 2 +-
 .github/workflows/require-pr-label.yml    | 8 ++++----
 .github/workflows/reusable-cifuzz.yml     | 4 ++--
 .github/workflows/reusable-wasi.yml       | 2 +-
 6 files changed, 10 insertions(+), 10 deletions(-)
---
 .github/workflows/build.yml               | 2 +-
 .github/workflows/documentation-links.yml | 2 +-
 .github/workflows/lint.yml                | 2 +-
 .github/workflows/require-pr-label.yml    | 8 ++++----
 .github/workflows/reusable-cifuzz.yml     | 4 ++--
 .github/workflows/reusable-wasi.yml       | 2 +-
 6 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 3a6d6a763f2c9c..861852a4cf71b4 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -512,7 +512,7 @@ jobs:
     - name: Install dependencies
       run: sudo ./.github/workflows/posix-deps-apt.sh
     - name: Set up GCC-10 for ASAN
-      uses: egor-tensin/setup-gcc@v2
+      uses: egor-tensin/setup-gcc@a2861a8b8538f49cf2850980acccf6b05a1b2ae4 # v2
       with:
         version: 10
     - name: Configure OpenSSL env vars
diff --git a/.github/workflows/documentation-links.yml b/.github/workflows/documentation-links.yml
index a09a30587b35eb..35a3228857d0d5 100644
--- a/.github/workflows/documentation-links.yml
+++ b/.github/workflows/documentation-links.yml
@@ -22,7 +22,7 @@ jobs:
     timeout-minutes: 5
 
     steps:
-      - uses: readthedocs/actions/preview@v1
+      - uses: readthedocs/actions/preview@b8bba1484329bda1a3abe986df7ebc80a8950333 # v1
         with:
           project-slug: "cpython-previews"
           single-version: "true"
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 0ded53b00da0ef..7f293e075817ff 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -22,4 +22,4 @@ jobs:
       - uses: actions/checkout@v6
         with:
           persist-credentials: false
-      - uses: j178/prek-action@v1
+      - uses: j178/prek-action@0bb87d7f00b0c99306c8bcb8b8beba1eb581c037 # v1
diff --git a/.github/workflows/require-pr-label.yml b/.github/workflows/require-pr-label.yml
index 7e534c58c798d1..652d3a649e7524 100644
--- a/.github/workflows/require-pr-label.yml
+++ b/.github/workflows/require-pr-label.yml
@@ -15,7 +15,7 @@ jobs:
 
     steps:
       - name: Check there's no DO-NOT-MERGE
-        uses: mheap/github-action-required-labels@v5
+        uses: mheap/github-action-required-labels@0ac283b4e65c1fb28ce6079dea5546ceca98ccbe # v5
         with:
           mode: exactly
           count: 0
@@ -33,7 +33,7 @@ jobs:
     steps:
       # Check that the PR is not awaiting changes from the author due to previous review.
       - name: Check there's no required changes
-        uses: mheap/github-action-required-labels@v5
+        uses: mheap/github-action-required-labels@0ac283b4e65c1fb28ce6079dea5546ceca98ccbe # v5
         with:
           mode: exactly
           count: 0
@@ -42,7 +42,7 @@ jobs:
             awaiting change review
       - id: is-feature
         name: Check whether this PR is a feature (contains a "type-feature" label)
-        uses: mheap/github-action-required-labels@v5
+        uses: mheap/github-action-required-labels@0ac283b4e65c1fb28ce6079dea5546ceca98ccbe # v5
         with:
           mode: exactly
           count: 1
@@ -53,7 +53,7 @@ jobs:
       - id: awaiting-merge
         if: steps.is-feature.outputs.status == 'success'
         name: Check for complete review
-        uses: mheap/github-action-required-labels@v5
+        uses: mheap/github-action-required-labels@0ac283b4e65c1fb28ce6079dea5546ceca98ccbe # v5
         with:
           mode: exactly
           count: 1
diff --git a/.github/workflows/reusable-cifuzz.yml b/.github/workflows/reusable-cifuzz.yml
index 6cd9c26037f527..9b06a07359aaa5 100644
--- a/.github/workflows/reusable-cifuzz.yml
+++ b/.github/workflows/reusable-cifuzz.yml
@@ -21,12 +21,12 @@ jobs:
     steps:
       - name: Build fuzzers (${{ inputs.sanitizer }})
         id: build
-        uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
+        uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@51fea8a581a325b79f2af174b9f7c04333c283c0 # master
         with:
           oss-fuzz-project-name: ${{ inputs.oss-fuzz-project-name }}
           sanitizer: ${{ inputs.sanitizer }}
       - name: Run fuzzers (${{ inputs.sanitizer }})
-        uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
+        uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@51fea8a581a325b79f2af174b9f7c04333c283c0 # master
         with:
           fuzz-seconds: 600
           oss-fuzz-project-name: ${{ inputs.oss-fuzz-project-name }}
diff --git a/.github/workflows/reusable-wasi.yml b/.github/workflows/reusable-wasi.yml
index 8d76679a400c7f..13f110c39176f4 100644
--- a/.github/workflows/reusable-wasi.yml
+++ b/.github/workflows/reusable-wasi.yml
@@ -21,7 +21,7 @@ jobs:
         persist-credentials: false
     # No problem resolver registered as one doesn't currently exist for Clang.
     - name: "Install wasmtime"
-      uses: bytecodealliance/actions/wasmtime/setup@v1
+      uses: bytecodealliance/actions/wasmtime/setup@9152e710e9f7182e4c29ad218e4f335a7b203613 # v1
       with:
         version: ${{ env.WASMTIME_VERSION }}
     - name: "Read WASI SDK version"