From 4d7734ed17e5b2ec687be704878f36cd76132440 Mon Sep 17 00:00:00 2001
From: "dg-blackjack-bot[bot]"
 <234022014+dg-blackjack-bot[bot]@users.noreply.github.com>
Date: Sat, 4 Apr 2026 10:21:45 +0000
Subject: [PATCH] Pin third party actions to commit SHA

---
 .github/workflows/publish.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 9343a98..463aa5b 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -10,10 +10,10 @@ jobs:
     name: build, pack & publish
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
 
       - name: Setup dotnet
-        uses: actions/setup-dotnet@v1
+        uses: actions/setup-dotnet@871f041373faaad213a635d9afb62905ec029bbb # v1
         with:
           dotnet-version: 5.0.203
 
@@ -23,7 +23,7 @@ jobs:
       # Publish
       - name: publish on version change
         id: publish_nuget
-        uses: rohith/publish-nuget@v2
+        uses: rohith/publish-nuget@c12b8546b67672ee38ac87bea491ac94a587f7cc # v2
         with:
           # Filepath of the project to be packaged, relative to root of repository
           PROJECT_FILE_PATH: ReferenceCopAnalyzer/ReferenceCopAnalyzer/ReferenceCopAnalyzer.csproj