From 219ce6089c4a33d2e45e48889859eaacf73ec692 Mon Sep 17 00:00:00 2001
From: "stepsecurity-app[bot]"
 <188008098+stepsecurity-app[bot]@users.noreply.github.com>
Date: Fri, 19 Dec 2025 12:17:14 +0000
Subject: [PATCH] [StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/actions/get-artifact-for-stage-tests/action.yml | 4 ++--
 .github/actions/run-ee-server/action.yml                | 2 +-
 .github/workflows/update-manylinux-openssl-image.yml    | 2 +-
 .github/workflows/upload-jfrog-build-to-pypi.yml        | 2 +-
 .github/workflows/upload-to-jfrog.yml                   | 2 +-
 .github/workflows/valgrind.yml                          | 2 +-
 6 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/actions/get-artifact-for-stage-tests/action.yml b/.github/actions/get-artifact-for-stage-tests/action.yml
index feae95bd34..94ebf80c04 100644
--- a/.github/actions/get-artifact-for-stage-tests/action.yml
+++ b/.github/actions/get-artifact-for-stage-tests/action.yml
@@ -49,7 +49,7 @@ runs:
     run: echo "GITHUB_ARTIFACT_NAME=${{ env.PYTHON_TAG }}-${{ inputs.wheel_os }}_${{ inputs.wheel_cpu_arch }}.build" >> $GITHUB_ENV
     shell: bash
 
-  - uses: actions/download-artifact@v4
+  - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
     if: ${{ inputs.get_from_jfrog == 'false' }}
     with:
       name: ${{ env.GITHUB_ARTIFACT_NAME }}
@@ -70,7 +70,7 @@ runs:
   # End codepath that downloads artifacts from Github
   # Begin codepath that downloads from JFrog
 
-  - uses: jfrog/setup-jfrog-cli@v4
+  - uses: jfrog/setup-jfrog-cli@5b06f730cc5a6f55d78b30753f8583454b08c0aa # v4.8.1
     if: ${{ inputs.get_from_jfrog == 'true' }}
     env:
       JF_URL: ${{ inputs.JFROG_PLATFORM_URL }}
diff --git a/.github/actions/run-ee-server/action.yml b/.github/actions/run-ee-server/action.yml
index bb0923590b..a0fd5d491f 100644
--- a/.github/actions/run-ee-server/action.yml
+++ b/.github/actions/run-ee-server/action.yml
@@ -40,7 +40,7 @@ runs:
 
   - name: Log into registry to get non-public server RCs
     # We can still pull public images while logged in, so just do this all the time to make things simple
-    uses: docker/login-action@v3
+    uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
     with:
       registry: ${{ inputs.registry-name }}
       username: ${{ inputs.registry-username }}
diff --git a/.github/workflows/update-manylinux-openssl-image.yml b/.github/workflows/update-manylinux-openssl-image.yml
index 63d5f4df90..2c9783a297 100644
--- a/.github/workflows/update-manylinux-openssl-image.yml
+++ b/.github/workflows/update-manylinux-openssl-image.yml
@@ -50,7 +50,7 @@ jobs:
         flavor: latest=false
 
     - name: Set up Docker Buildx so we can cache our Docker image layers
-      uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+      uses: step-security/setup-buildx-action@8c8aef2d414c0b66518fee2b7084e0986f82d7ac # v3.11.1
 
     - name: Get cibuildwheel version used to build wheels
       run: echo CIBW_VERSION=$(yq eval '.jobs.cibuildwheel.steps | map(select(.id == "cibuildwheel"))[0].uses' build-wheels.yml | cut -f 2- -d "@") >> $GITHUB_ENV
diff --git a/.github/workflows/upload-jfrog-build-to-pypi.yml b/.github/workflows/upload-jfrog-build-to-pypi.yml
index d6fa5a9cf5..8437c2cfd7 100644
--- a/.github/workflows/upload-jfrog-build-to-pypi.yml
+++ b/.github/workflows/upload-jfrog-build-to-pypi.yml
@@ -21,7 +21,7 @@ jobs:
       with:
         egress-policy: audit
 
-    - uses: jfrog/setup-jfrog-cli@5b06f730cc5a6f55d78b30753f8583454b08c0aa # v4.8.1
+    - uses: step-security/setup-jfrog-cli@a6b41f8338bea0983ddff6bd4ede7d2dcd81e1fa # v4.8.1
       env:
         JF_URL: ${{ secrets.JFROG_PLATFORM_URL }}
         JF_ACCESS_TOKEN: ${{ secrets.JFROG_ACCESS_TOKEN }}
diff --git a/.github/workflows/upload-to-jfrog.yml b/.github/workflows/upload-to-jfrog.yml
index b3a6d87a01..80b20abb40 100644
--- a/.github/workflows/upload-to-jfrog.yml
+++ b/.github/workflows/upload-to-jfrog.yml
@@ -34,7 +34,7 @@ jobs:
         path: artifacts
 
     - name: Set up JFrog credentials
-      uses: jfrog/setup-jfrog-cli@0f30b43d62ccad81fba40748d2c671c4665b2d27 # v3.5.3
+      uses: step-security/setup-jfrog-cli@a6b41f8338bea0983ddff6bd4ede7d2dcd81e1fa # v4.8.1
       env:
         JF_URL: ${{ secrets.JFROG_PLATFORM_URL }}
         JF_ACCESS_TOKEN: ${{ secrets.JFROG_ACCESS_TOKEN }}
diff --git a/.github/workflows/valgrind.yml b/.github/workflows/valgrind.yml
index c7a1a3e154..06808ebd84 100644
--- a/.github/workflows/valgrind.yml
+++ b/.github/workflows/valgrind.yml
@@ -46,7 +46,7 @@ jobs:
       with:
         egress-policy: audit
 
-    - uses: jfrog/setup-jfrog-cli@5b06f730cc5a6f55d78b30753f8583454b08c0aa # v4.8.1
+    - uses: step-security/setup-jfrog-cli@a6b41f8338bea0983ddff6bd4ede7d2dcd81e1fa # v4.8.1
       env:
         JF_URL: ${{ secrets.JFROG_PLATFORM_URL }}
         JF_ACCESS_TOKEN: ${{ secrets.JFROG_ACCESS_TOKEN }}