From 3a468b2e71c50a5af4bf2e9e70fad12beeb8eaab Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Sat, 30 May 2026 18:12:06 +0100
Subject: [PATCH] fix(ci): replace fake action SHA pins with version-faithful
 real SHAs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

These pins were partial-prefix-corruption fakes — fabricated SHAs that
share a prefix with a real version's SHA but have fabricated suffixes,
slipping past visual review. Verified fake via `gh api commits/<sha> ->
422`.

The fix preserves the version the author originally intended (read from
the `# vX.Y.Z` comment alongside each pin), rather than blindly bumping
to latest. This is important for actions where check-name reporting can
differ between major versions (e.g. CodeQL) — keeping the same major
preserves any branch-protection contexts that reference check names.

Substitutions applied (those present in this repo only — see diff):

  goto-bus-stop/setup-zig         v2.2.1   abea47f85e...
  erlef/setup-beam                v1.24.0  fc68ffb904...
  erlef/setup-beam                v1.18.2  5304e04ea2...
  erlef/setup-beam                v1.19.0  8aa8a857c6...
  denoland/setup-deno             v2.0.4   667a34cdef...
  denoland/setup-deno             v2.0.2   909cc5acb0...
  denoland/setup-deno             v1.1.4   041b854f97...
  haskell-actions/setup           v2.11.0  cd0d9bdd65...
  actions/upload-artifact         v4.6.2   ea165f8d65b6e75b...
  actions/setup-node              v4.4.0   49933ea5288caeca8642d1e84afbd3f7d6820020
  actions/setup-node              v4.2.0   1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a
  trufflesecurity/trufflehog      v3.95.3  37b77001d0...
  trufflesecurity/trufflehog      v3.82.13 1aa1871f9a...
  trufflesecurity/trufflehog      v3.63.6  f699f60e89...
  github/codeql-action/*          v3.36.0  03e4368ac7...
  github/codeql-action/*          v3.31.10 4bdb89f480...
  github/codeql-action/*          v3.28.0  48ab28a6f5...
  github/codeql-action/*          v4.36.0  7211b7c807...
  Swatinem/rust-cache             v2.7.8   9d47c6ad4b...
  gitleaks/gitleaks-action        v2.3.7   83373cf2f8...

Verified real via `gh api repos/<org>/<action>/commits/<sha>`.

Provenance: [[project_estate_fake_action_sha_punch_list_2026_05_30]];
caught during the estate audit triggered by hyperpolymath/snifs#30.
---
 .github/workflows/codeql.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 1a02043..ff11843 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -52,7 +52,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@ea9e4e37992a54ee68a9571571f9a567d8f90f78 # v3.28.0
+        uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
@@ -67,6 +67,6 @@ jobs:
           exit 1
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@ea9e4e37992a54ee68a9571571f9a567d8f90f78 # v3.28.0
+        uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
         with:
           category: "/language:${{ matrix.language }}"