From 8c3458873e90a325daba6f0c79745d8bea6b8768 Mon Sep 17 00:00:00 2001
From: eepifanova <eepifanova@users.noreply.github.com>
Date: Thu, 26 Mar 2026 11:33:09 +0000
Subject: [PATCH] ci: pin actions to full commit SHAs

Pin action refs from mutable tags to full commit SHAs to prevent
supply-chain attacks.

- actions/upload-artifact: v6.0.0 -> b7c566a7...
- actions/download-artifact: v7 -> 37930b1c...
- azure/login: v2 -> a457da9e...
- actions/labeler: v6 -> 634933ed...

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/coveo.yml   | 6 +++---
 .github/workflows/labeler.yml | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/coveo.yml b/.github/workflows/coveo.yml
index f90ac1b849..406f15bde6 100644
--- a/.github/workflows/coveo.yml
+++ b/.github/workflows/coveo.yml
@@ -104,7 +104,7 @@ jobs:
 
       - name: Upload token for ${{matrix.env_name}}
         if: ${{ steps.generate-token.outcome == 'success' }}
-        uses: actions/upload-artifact@v6.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: ${{matrix.env_name}}
           path: "./"
@@ -138,13 +138,13 @@ jobs:
     needs: generate-coveo-search-token
     steps:
       - name: Download Coveo search token
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
 
       - name: View files
         run: ls -R
 
       - name: Login to Azure
-        uses: azure/login@v2
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2
         with:
           creds: ${{secrets.AZURE_CREDENTIALS_DOCS}}
 
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 9f984f1b2e..f442ca407c 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -12,6 +12,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Apply labels based on file paths
-        uses: actions/labeler@v6
+        uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"