From fdcc996dd75fd552c44ef73d82d5870c181c47a8 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Mon, 30 Mar 2026 15:04:05 +0000
Subject: [PATCH 1/2] Update GitHub Actions

---
 .github/workflows/add-to-project.yaml          | 2 +-
 .github/workflows/ci.yaml                      | 2 +-
 .github/workflows/emergency-review-bypass.yaml | 2 +-
 .github/workflows/notify-approval-bypass.yaml  | 2 +-
 .github/workflows/pr-title.yaml                | 2 +-
 .github/workflows/release.yaml                 | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/add-to-project.yaml b/.github/workflows/add-to-project.yaml
index e3c0b422..3e7d97c1 100644
--- a/.github/workflows/add-to-project.yaml
+++ b/.github/workflows/add-to-project.yaml
@@ -17,5 +17,5 @@ on:
 jobs:
   call-workflow-add-to-project:
     name: Call workflow to add issue to project
-    uses: bufbuild/base-workflows/.github/workflows/add-to-project.yaml@main
+    uses: bufbuild/base-workflows/.github/workflows/add-to-project.yaml@7be6b0f6700ab0c62145c2b4ca2efd103bfc4895 # main
     secrets: inherit
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index a5020107..dd3d5d88 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -24,7 +24,7 @@ jobs:
       UV_RESOLUTION: "${{ matrix.resolution }}"
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version: stable
           # We use this to install `buf`, and the `buf` version is controlled by the Makefile.
diff --git a/.github/workflows/emergency-review-bypass.yaml b/.github/workflows/emergency-review-bypass.yaml
index e40068f9..ce29a9bd 100644
--- a/.github/workflows/emergency-review-bypass.yaml
+++ b/.github/workflows/emergency-review-bypass.yaml
@@ -9,5 +9,5 @@ jobs:
   approve:
     name: Approve
     if: github.event.label.name == 'Emergency Bypass Review'
-    uses: bufbuild/base-workflows/.github/workflows/emergency-review-bypass.yaml@main
+    uses: bufbuild/base-workflows/.github/workflows/emergency-review-bypass.yaml@7be6b0f6700ab0c62145c2b4ca2efd103bfc4895 # main
     secrets: inherit
diff --git a/.github/workflows/notify-approval-bypass.yaml b/.github/workflows/notify-approval-bypass.yaml
index 384db803..210ecd13 100644
--- a/.github/workflows/notify-approval-bypass.yaml
+++ b/.github/workflows/notify-approval-bypass.yaml
@@ -10,5 +10,5 @@ permissions:
 jobs:
   notify:
     name: Notify
-    uses: bufbuild/base-workflows/.github/workflows/notify-approval-bypass.yaml@main
+    uses: bufbuild/base-workflows/.github/workflows/notify-approval-bypass.yaml@7be6b0f6700ab0c62145c2b4ca2efd103bfc4895 # main
     secrets: inherit
diff --git a/.github/workflows/pr-title.yaml b/.github/workflows/pr-title.yaml
index b1146033..1711004d 100644
--- a/.github/workflows/pr-title.yaml
+++ b/.github/workflows/pr-title.yaml
@@ -15,4 +15,4 @@ on:
       - synchronize
 jobs:
   lint:
-    uses: bufbuild/base-workflows/.github/workflows/pr-title.yaml@main
+    uses: bufbuild/base-workflows/.github/workflows/pr-title.yaml@7be6b0f6700ab0c62145c2b4ca2efd103bfc4895 # main
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 74e45d5e..3506fda5 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -50,4 +50,4 @@ jobs:
           path: dist
 
       - name: Publish on PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1

From d8d815256c685d11dec200c4ec732a986bc3e9d6 Mon Sep 17 00:00:00 2001
From: Stefan VanBuren <svanburen@buf.build>
Date: Wed, 1 Apr 2026 08:48:16 -0400
Subject: [PATCH 2/2] Add fully pinned version comments

With `pinact run`.
---
 .github/workflows/ci.yaml      |  6 +++---
 .github/workflows/release.yaml | 10 +++++-----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index dd3d5d88..4c4bf596 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -23,13 +23,13 @@ jobs:
       # Shared env variables for all the tests
       UV_RESOLUTION: "${{ matrix.resolution }}"
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: stable
           # We use this to install `buf`, and the `buf` version is controlled by the Makefile.
           cache-dependency-path: Makefile
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
+      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
         with:
           python-version: ${{ matrix.python-version }}
       - run: make install
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 3506fda5..c6eb7d9d 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -12,18 +12,18 @@ jobs:
       name: release
     steps:
       - name: Checkout source
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
       - name: Set VERSION variable from tag
         run: |
           VERSION=${{github.head_ref}}
           echo "VERSION=${VERSION##*/}" >> $GITHUB_ENV
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
+      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
       - name: Build release
         run: |
           uv build
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: package
           path: dist/
@@ -39,12 +39,12 @@ jobs:
     needs: build
     steps:
       - name: Checkout source
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
       - name: Download built artifact
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: package
           path: dist