From 935d9266af389f96ca2dfa9c161327a549ce0051 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 29 Jan 2026 16:38:57 +0000
Subject: [PATCH 1/2] ci: bump golangci/golangci-lint-action from 6 to 9

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 6 to 9.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v6...v9)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-version: '9'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/golangci-lint.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
index 1a057747..a7978b02 100644
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -14,7 +14,7 @@ jobs:
           go-version: '1.24'
       - uses: actions/checkout@v6
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@v9
         with:
           version: latest
           only-new-issues: true

From 9fcdebb74f6db36b21c47dbdd3857fd7daf9b8c7 Mon Sep 17 00:00:00 2001
From: David Levy <dlevy@microsoft.com>
Date: Thu, 29 Jan 2026 11:00:25 -0600
Subject: [PATCH 2/2] ci: pin GitHub Actions to commit SHAs for supply chain
 security

Pin 3rd party actions to specific commit SHAs to mitigate supply chain
attacks (CWE-829). If a bad actor compromises an action's repository,
they cannot affect our workflows since we reference immutable commits.

Actions pinned:
- actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 (v6.2.0)
- golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 (v9.0.0)

Resolves code scanning alert #11
---
 .github/workflows/golangci-lint.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
index a7978b02..ae795e61 100644
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -9,12 +9,16 @@ jobs:
     name: lint-pr-changes
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-go@v6
+      # Pinned to commit SHA for supply chain security (CWE-829)
+      # Verify: gh api repos/actions/setup-go/git/ref/tags/v6 --jq '.object.sha'
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
           go-version: '1.24'
       - uses: actions/checkout@v6
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v9
+        # Pinned to commit SHA for supply chain security (CWE-829)
+        # Verify: gh api repos/golangci/golangci-lint-action/git/ref/tags/v9 --jq '.object.sha'
+        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.0.0
         with:
           version: latest
           only-new-issues: true