From 36b86812710697e1f19ffe47ce9f7877e0172ae7 Mon Sep 17 00:00:00 2001
From: Ana Maria Martinez Gomez <ana.martinez@mandiant.com>
Date: Fri, 23 Feb 2024 14:58:30 +0100
Subject: [PATCH 1/4] [CI] Update actions/checkout to latest version

The old version was using a deprecated version of Node.
---
 .github/workflows/release.yml |  2 +-
 .github/workflows/sync.yml    |  6 +++---
 .github/workflows/tests.yml   | 10 +++++-----
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f83cb4512..175c9a1e2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -14,7 +14,7 @@ jobs:
       contents: write
     steps:
     - name: Checkout code
-      uses: actions/checkout@v3
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         # get all history and tags
         fetch-depth: 0
diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml
index c6401888b..b56fd9b18 100644
--- a/.github/workflows/sync.yml
+++ b/.github/workflows/sync.yml
@@ -7,7 +7,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
     - name: Checkout capa-rules
-      uses: actions/checkout@v3
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Count rules
       run: |
         num_rules=$(find . -type f -name '*.yml' -not -path './.github/*' | wc -l)
@@ -29,12 +29,12 @@ jobs:
     # Do not checkout submodules as we don't need capa-testfiles and we need to
     # update the rules submodule reference
     - name: Checkout capa
-      uses: actions/checkout@v3
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         repository: mandiant/capa
         token: ${{ secrets.CAPA_TOKEN }}
     - name: Checkout capa-rules
-      uses: actions/checkout@v3
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         # To include the commit from update_num_rules (the default `ref` is the
         # one which triggered the action)
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 8866ef93e..d21b8db22 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -30,15 +30,15 @@ jobs:
     steps:
     # We check the submodules separately as the rules submodule's reference may not be our PR/master
     - name: Checkout capa without submodules
-      uses: actions/checkout@v3
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         repository: mandiant/capa
     - name: Checkout capa-rules
-      uses: actions/checkout@v3
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         path: rules
     - name: Checkout capa-testfiles
-      uses: actions/checkout@v3
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         repository: mandiant/capa-testfiles
         path: tests/data
@@ -108,12 +108,12 @@ jobs:
         echo "zip_name=capa-$v-linux.zip" >> $GITHUB_ENV
         echo "major_version=$(echo $v | cut -d. -f1)" >> $GITHUB_ENV
     - name: Checkout capa-rules
-      uses: actions/checkout@v3
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         ref: ${{ env.major_version }}
         path: rules
     - name: Checkout capa-testfiles
-      uses: actions/checkout@v3
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         repository: mandiant/capa-testfiles
         path: tests/data

From d5a979a11c15afe9ceb05a4ea7c613ffe36b36aa Mon Sep 17 00:00:00 2001
From: Ana Maria Martinez Gomez <ana.martinez@mandiant.com>
Date: Fri, 23 Feb 2024 15:02:11 +0100
Subject: [PATCH 2/4] [CI] Update actions/setup-python to latest version

The old version was using a deprecated version of Node.
---
 .github/workflows/sync.yml  | 2 +-
 .github/workflows/tests.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml
index b56fd9b18..5740960b3 100644
--- a/.github/workflows/sync.yml
+++ b/.github/workflows/sync.yml
@@ -51,7 +51,7 @@ jobs:
       id: files
       uses: Ana06/get-changed-files@v2.2.0
     - name: Set up Python 3.9
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
       with:
         python-version: 3.9
     - name: Install Python dependencies
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index d21b8db22..54be5b3e7 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -44,7 +44,7 @@ jobs:
         path: tests/data
     # use latest available python for best performance
     - name: Set up Python 3.11
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
       with:
         python-version: 3.11
     - name: Install capa

From 98887138074e9c6acb7dc938934a4f26f8c2c76a Mon Sep 17 00:00:00 2001
From: Ana Maria Martinez Gomez <ana.martinez@mandiant.com>
Date: Fri, 23 Feb 2024 15:04:49 +0100
Subject: [PATCH 3/4] [CI] Update Ana06/get-changed-files

Update Ana06/get-changed-files to the latest version that I released
yesterday using Node 20. The old version was using a deprecated version
of Node.
---
 .github/workflows/sync.yml  | 2 +-
 .github/workflows/tests.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml
index 5740960b3..719f5b784 100644
--- a/.github/workflows/sync.yml
+++ b/.github/workflows/sync.yml
@@ -49,7 +49,7 @@ jobs:
         sed -ir "0,/### New Rules.*/s//### New Rules \($rules\)/" CHANGELOG.md
     - name: Get modified files
       id: files
-      uses: Ana06/get-changed-files@v2.2.0
+      uses: Ana06/get-changed-files@25f79e676e7ea1868813e21465014798211fad8c # v2.3.0
     - name: Set up Python 3.9
       uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
       with:
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 54be5b3e7..7e134570a 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -56,7 +56,7 @@ jobs:
     - name: Get modified files
       if: github.event_name != 'workflow_dispatch' && github.event_name != 'schedule'
       id: files
-      uses: Ana06/get-changed-files@v2.2.0
+      uses: Ana06/get-changed-files@25f79e676e7ea1868813e21465014798211fad8c # v2.3.0
       # this Action may throw the below error, e.g. when not properly rebased
       # however, it still gets the modified files and we can continue
       # Error: The head commit for this pull_request event is not ahead of the base commit.

From a13aaa16284dbfb6b4b54ae5d608274ad454ef9e Mon Sep 17 00:00:00 2001
From: Ana Maria Martinez Gomez <ana.martinez@mandiant.com>
Date: Fri, 23 Feb 2024 15:08:50 +0100
Subject: [PATCH 4/4] [CI] Update ncipollo/release-action

The old version was using a deprecated version of Node.# Please enter the commit message for your changes. Lines starting
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 175c9a1e2..5f04299ff 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -21,6 +21,6 @@ jobs:
     - name: Get release text
       run: python .github/scripts/create_releases.py ${{ github.ref_name }} > release_body.txt
     - name: Create GitHub release
-      uses: ncipollo/release-action@v1.12.0
+      uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
       with:
         bodyFile: release_body.txt