From 96dc6e1bbbc1e544a3156c2714718b1477db798d Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 30 Dec 2025 10:02:55 +0000
Subject: [PATCH 1/2] Initial plan


From b88edb96cf96207f28f3ca14d31a0616eeb299f9 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 30 Dec 2025 10:06:13 +0000
Subject: [PATCH 2/2] Pin all GitHub Actions to immutable commit SHAs

Co-authored-by: gcatanese <1771700+gcatanese@users.noreply.github.com>
---
 .github/workflows/label_new_issues.yml | 2 +-
 .github/workflows/labeler_workflow.yml | 6 +++---
 .github/workflows/pypipublish.yml      | 8 ++++----
 .github/workflows/python-ci.yml        | 4 ++--
 .github/workflows/release.yml          | 4 ++--
 .github/workflows/stale.yml            | 2 +-
 6 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/label_new_issues.yml b/.github/workflows/label_new_issues.yml
index 561e178d..307e9c80 100644
--- a/.github/workflows/label_new_issues.yml
+++ b/.github/workflows/label_new_issues.yml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Add 'needs response' label to new issues
-        uses: actions-ecosystem/action-add-labels@v1
+        uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           labels: 'needs response'
diff --git a/.github/workflows/labeler_workflow.yml b/.github/workflows/labeler_workflow.yml
index 61693d14..3b9a0527 100644
--- a/.github/workflows/labeler_workflow.yml
+++ b/.github/workflows/labeler_workflow.yml
@@ -15,9 +15,9 @@ jobs:
 #      matrix:
 #        python-version: [ '3.6','3.7', '3.8' ]
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6
       with:
         python-version: ${{ matrix.python-version }}
     - name: Install dependencies
@@ -30,5 +30,5 @@ jobs:
       run: tox
 
     - name: Add label if tests fail
-      uses: actions/labeler@v6
+      uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6
       if: ${{ failure() }}
\ No newline at end of file
diff --git a/.github/workflows/pypipublish.yml b/.github/workflows/pypipublish.yml
index a267b754..ce4d9fee 100644
--- a/.github/workflows/pypipublish.yml
+++ b/.github/workflows/pypipublish.yml
@@ -17,9 +17,9 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 # master
       - name: Set up Python 3.10
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6
         with:
           python-version: "3.14"
 
@@ -38,11 +38,11 @@ jobs:
           --outdir dist/
           .
       # - name: Publish distribution 📦 to Test PyPI
-      #   uses: pypa/gh-action-pypi-publish@release/v1
+      #   uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1
       #   with:
       #     password: ${{ secrets.PYPI_TEST_KEY }}
       #     repository-url: https://test.pypi.org/legacy/
       - name: Publish distribution 📦 to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1
         with:
           password: ${{ secrets.PYPI_KEY }}
diff --git a/.github/workflows/python-ci.yml b/.github/workflows/python-ci.yml
index d5565c7d..8746b15c 100644
--- a/.github/workflows/python-ci.yml
+++ b/.github/workflows/python-ci.yml
@@ -24,12 +24,12 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
           fetch-depth: 0
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6
         with:
           python-version: ${{ matrix.python-version }}
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1c70ced9..cde6dabd 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -28,9 +28,9 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
       - name: Prepare the next main release
-        uses: Adyen/release-automation-action@v1.3.1
+        uses: Adyen/release-automation-action@f5e0d6e68f1b203beb443efcabc680e087c2d334 # v1.3.1
         with:
           token: ${{ secrets.ADYEN_AUTOMATION_BOT_ACCESS_TOKEN }}
           develop-branch: main
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index d55f71f5..25881cb1 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -11,7 +11,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           stale-issue-message: 'This issue has been automatically marked as stale due to inactivity and will be closed in 7 days if no further activity occurs.'