fix: use pinned SHA for actions/checkout instead of version tag

devin-ai-integration[bot] · pkaeding · devin-ai-integration[bot] · commit 5e42a0b69fbf · 2025-09-11T16:10:34.000Z
Address security best practice by using pinned commit SHA 692973e3d937129bcbf40652eb9f2f61becf3332
instead of actions/checkout@v4 version tag.

Co-Authored-By: Patrick Kaeding &lt;patrick@kaeding.name&gt;
diff --git a/.github/workflows/dependency-scan.yml b/.github/workflows/dependency-scan.yml
@@ -10,7 +10,7 @@ jobs:
   generate-nodejs-sbom:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
 
       - name: Generate SBOM
         uses: launchdarkly/gh-actions/actions/dependency-scan/generate-sbom@main
@@ -22,7 +22,7 @@ jobs:
     needs:
       - generate-nodejs-sbom
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
 
       - name: Evaluate SBOM Policy
         uses: launchdarkly/gh-actions/actions/dependency-scan/evaluate-policy@main
