From 4900fcb4bd3f0e47768f8b82ad2fbc2f2e38d9cf Mon Sep 17 00:00:00 2001
From: Saadi Myftija <saadi@myftija.com>
Date: Mon, 2 Mar 2026 10:12:58 +0100
Subject: [PATCH 1/2] ci: pin vouch action version

Pins vouch actions to `@v1.4.2` in favor of security practices. We were previously using the `@main` tag.

Also removes the checkout steps as they're not needed in these workflows.
---
 .github/workflows/vouch-check-pr.yml        | 3 +--
 .github/workflows/vouch-manage-by-issue.yml | 3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/vouch-check-pr.yml b/.github/workflows/vouch-check-pr.yml
index a2f4c6d1b6b..a0691011eb3 100644
--- a/.github/workflows/vouch-check-pr.yml
+++ b/.github/workflows/vouch-check-pr.yml
@@ -13,8 +13,7 @@ jobs:
   check-pr:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: mitchellh/vouch/action/check-pr@main
+      - uses: mitchellh/vouch/action/check-pr@v1.4.2
         with:
           pr-number: ${{ github.event.pull_request.number }}
           auto-close: true
diff --git a/.github/workflows/vouch-manage-by-issue.yml b/.github/workflows/vouch-manage-by-issue.yml
index 36de055752f..36178f77e7f 100644
--- a/.github/workflows/vouch-manage-by-issue.yml
+++ b/.github/workflows/vouch-manage-by-issue.yml
@@ -16,8 +16,7 @@ jobs:
       contains(github.event.comment.body, 'denounce') ||
       contains(github.event.comment.body, 'unvouch')
     steps:
-      - uses: actions/checkout@v4
-      - uses: mitchellh/vouch/action/manage-by-issue@main
+      - uses: mitchellh/vouch/action/manage-by-issue@v1.4.2
         with:
           comment-id: ${{ github.event.comment.id }}
           issue-id: ${{ github.event.issue.number }}

From 36281e4b98ad53a18650ed385c20eacf96eceddb Mon Sep 17 00:00:00 2001
From: Saadi Myftija <saadi@myftija.com>
Date: Mon, 2 Mar 2026 10:30:48 +0100
Subject: [PATCH 2/2] Use the commit sha to be stricter with pinning

---
 .github/workflows/vouch-check-pr.yml        | 2 +-
 .github/workflows/vouch-manage-by-issue.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/vouch-check-pr.yml b/.github/workflows/vouch-check-pr.yml
index a0691011eb3..b9aadd5e025 100644
--- a/.github/workflows/vouch-check-pr.yml
+++ b/.github/workflows/vouch-check-pr.yml
@@ -13,7 +13,7 @@ jobs:
   check-pr:
     runs-on: ubuntu-latest
     steps:
-      - uses: mitchellh/vouch/action/check-pr@v1.4.2
+      - uses: mitchellh/vouch/action/check-pr@c6d80ead49839655b61b422700b7a3bc9d0804a9 # v1.4.2
         with:
           pr-number: ${{ github.event.pull_request.number }}
           auto-close: true
diff --git a/.github/workflows/vouch-manage-by-issue.yml b/.github/workflows/vouch-manage-by-issue.yml
index 36178f77e7f..51bce367b3e 100644
--- a/.github/workflows/vouch-manage-by-issue.yml
+++ b/.github/workflows/vouch-manage-by-issue.yml
@@ -16,7 +16,7 @@ jobs:
       contains(github.event.comment.body, 'denounce') ||
       contains(github.event.comment.body, 'unvouch')
     steps:
-      - uses: mitchellh/vouch/action/manage-by-issue@v1.4.2
+      - uses: mitchellh/vouch/action/manage-by-issue@c6d80ead49839655b61b422700b7a3bc9d0804a9 # v1.4.2
         with:
           comment-id: ${{ github.event.comment.id }}
           issue-id: ${{ github.event.issue.number }}