From 47ff370cfb73d0fae5ed1c8c94097b78f2ff268d Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon.deziel@canonical.com>
Date: Tue, 18 Mar 2025 15:11:18 -0400
Subject: [PATCH 1/5] github: pin actions/checkout@v4 to v4.2.2's hash

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
---
 .github/workflows/tests.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 2e4db11c..4caa1186 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
     - name: Repository checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Lint shell files
       uses: ludeeus/action-shellcheck@master
@@ -44,7 +44,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
     - name: Repository checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Install dependencies
       run: |
@@ -74,7 +74,7 @@ jobs:
     runs-on: ubuntu-${{ matrix.os }}
     steps:
     - name: Repository checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Set up Python
       uses: actions/setup-python@v5

From d0f4eb0cbb6a8cef8701094b935dc79c054330cb Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon.deziel@canonical.com>
Date: Tue, 18 Mar 2025 15:13:29 -0400
Subject: [PATCH 2/5] github: use
 redhat-plumbers-in-action/differential-shellcheck instead of
 ludeeus/action-shellcheck

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
---
 .github/workflows/tests.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 4caa1186..306d53b5 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -20,8 +20,13 @@ jobs:
     - name: Repository checkout
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-    - name: Lint shell files
-      uses: ludeeus/action-shellcheck@master
+    - id: ShellCheck
+      name: Differential ShellCheck
+      uses: redhat-plumbers-in-action/differential-shellcheck@dd551ce780d8af741f8cd8bab6982667b906b457 # v5.5.3
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        strict-check-on-push: true
+      if: github.event_name == 'pull_request'
 
     - name: Install dependencies
       run: |

From 1aa6123bf70ff1b871a0e96c573ef25846e3d3cd Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon.deziel@canonical.com>
Date: Tue, 18 Mar 2025 15:13:45 -0400
Subject: [PATCH 3/5] github: redhat-plumbers-in-action/differential-shellcheck
 requires non-shallow clone

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
---
 .github/workflows/tests.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 306d53b5..4c97364d 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -19,6 +19,9 @@ jobs:
     steps:
     - name: Repository checkout
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        # A non-shallow clone is needed for the Differential ShellCheck
+        fetch-depth: 0
 
     - id: ShellCheck
       name: Differential ShellCheck

From f870aaab96115c8944079de91d4e53d0024117ae Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon.deziel@canonical.com>
Date: Tue, 18 Mar 2025 15:14:31 -0400
Subject: [PATCH 4/5] github: require all GHA to be pinned

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
---
 .github/workflows/tests.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 4c97364d..f56a0cb4 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -23,6 +23,9 @@ jobs:
         # A non-shallow clone is needed for the Differential ShellCheck
         fetch-depth: 0
 
+    - name: Require GHA pinning
+      uses: canonical/lxd/.github/actions/require-gha-pinning@main
+
     - id: ShellCheck
       name: Differential ShellCheck
       uses: redhat-plumbers-in-action/differential-shellcheck@dd551ce780d8af741f8cd8bab6982667b906b457 # v5.5.3

From 523f917ee711eb625f126ef954678f70d2027cf3 Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon.deziel@canonical.com>
Date: Tue, 18 Mar 2025 15:15:32 -0400
Subject: [PATCH 5/5] github: pin actions/setup-python@v5 to v5.4.0's hash

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
---
 .github/workflows/tests.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index f56a0cb4..f95d3c5e 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -88,7 +88,7 @@ jobs:
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
       with:
         python-version: ${{ matrix.python-version }}