From ad1977de831597a4d63b8593ec84749bb817b959 Mon Sep 17 00:00:00 2001
From: lae <lae@lae.is>
Date: Sat, 6 Sep 2025 01:14:48 +0900
Subject: [PATCH 1/5] create amplify rule config with
 third-party-action-not-pinned-to-commit-sha rule

---
 configs/amplify.list | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 configs/amplify.list

diff --git a/configs/amplify.list b/configs/amplify.list
new file mode 100644
index 000000000..9220ea2b6
--- /dev/null
+++ b/configs/amplify.list
@@ -0,0 +1 @@
+yaml/github-actions/security/third-party-action-not-pinned-to-commit-sha.yml:third-party-action-not-pinned-to-commit-sha

From b8b282b44e07ec3c0d3776a34465f15bea362ca9 Mon Sep 17 00:00:00 2001
From: lae <lae@lae.is>
Date: Sat, 6 Sep 2025 01:33:12 +0900
Subject: [PATCH 2/5] [actions] update pre-commit action to v3.0.1

---
 .github/workflows/pre-commit.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index 0299e2936..a2e6f8e56 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -14,6 +14,6 @@ jobs:
       - uses: actions/setup-python@v5
         with:
           python-version: '3.10'
-      - uses: pre-commit/action@v2.0.0
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
         env:
           SKIP: yamlfmt

From ab229af8d2d9a98fdc1071b5641c313e49d29ec9 Mon Sep 17 00:00:00 2001
From: lae <lae@lae.is>
Date: Sat, 6 Sep 2025 01:34:54 +0900
Subject: [PATCH 3/5] [actions] update other actions in pre-commit workflow

---
 .github/workflows/pre-commit.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index a2e6f8e56..a9ae46c55 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -10,8 +10,8 @@ jobs:
   pre-commit:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: '3.10'
       - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1

From 8572a4cdf785d86099f15ae2ef37a36a504486c7 Mon Sep 17 00:00:00 2001
From: lae <lae@lae.is>
Date: Sat, 6 Sep 2025 01:46:34 +0900
Subject: [PATCH 4/5] [actions] update workflows to use ubuntu 24

---
 .github/workflows/semgrep-rule-lints.yaml             | 2 +-
 .github/workflows/semgrep-rules-test.yml              | 2 +-
 .github/workflows/validate-r2c-registry-metadata.yaml | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/semgrep-rule-lints.yaml b/.github/workflows/semgrep-rule-lints.yaml
index a7214a1f3..69ff1cd9d 100644
--- a/.github/workflows/semgrep-rule-lints.yaml
+++ b/.github/workflows/semgrep-rule-lints.yaml
@@ -8,7 +8,7 @@ on:
 
 jobs:
   semgrep:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     name: semgrep-rule-lints
     steps:
       - uses: actions/checkout@v2
diff --git a/.github/workflows/semgrep-rules-test.yml b/.github/workflows/semgrep-rules-test.yml
index 757d81b80..98a6bc901 100644
--- a/.github/workflows/semgrep-rules-test.yml
+++ b/.github/workflows/semgrep-rules-test.yml
@@ -12,7 +12,7 @@ on:
 jobs:
   test-latest:
     name: rules-test-latest
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v2
       - uses: actions/setup-python@v2
diff --git a/.github/workflows/validate-r2c-registry-metadata.yaml b/.github/workflows/validate-r2c-registry-metadata.yaml
index bccd134b1..b1cc78962 100644
--- a/.github/workflows/validate-r2c-registry-metadata.yaml
+++ b/.github/workflows/validate-r2c-registry-metadata.yaml
@@ -16,7 +16,7 @@ jobs:
   validate-metadata:
     if: github.repository == 'amplify-security/opengrep-rules'
     name: Validate r2c registry metadata
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v2
         with:

From e83e4781e3ce412be9dec2c46f09825eac6d7e68 Mon Sep 17 00:00:00 2001
From: lae <lae@lae.is>
Date: Sat, 6 Sep 2025 01:54:29 +0900
Subject: [PATCH 5/5] [actions] update workflows to use python 3.9.23

---
 .github/workflows/semgrep-rule-lints.yaml             | 2 +-
 .github/workflows/semgrep-rules-test.yml              | 2 +-
 .github/workflows/validate-r2c-registry-metadata.yaml | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/semgrep-rule-lints.yaml b/.github/workflows/semgrep-rule-lints.yaml
index 69ff1cd9d..df6f14d6b 100644
--- a/.github/workflows/semgrep-rule-lints.yaml
+++ b/.github/workflows/semgrep-rule-lints.yaml
@@ -14,7 +14,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/setup-python@v2
         with:
-          python-version: 3.9.2
+          python-version: 3.9.23
       - name: install semgrep
         run: pip3 install semgrep
       - name: lints for semgrep rules
diff --git a/.github/workflows/semgrep-rules-test.yml b/.github/workflows/semgrep-rules-test.yml
index 98a6bc901..f1f80f157 100644
--- a/.github/workflows/semgrep-rules-test.yml
+++ b/.github/workflows/semgrep-rules-test.yml
@@ -17,7 +17,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/setup-python@v2
         with:
-          python-version: 3.9.2
+          python-version: 3.9.23
       - name: install semgrep via pip
         run: pip3 install semgrep
       - name: validate rules
diff --git a/.github/workflows/validate-r2c-registry-metadata.yaml b/.github/workflows/validate-r2c-registry-metadata.yaml
index b1cc78962..281bfda28 100644
--- a/.github/workflows/validate-r2c-registry-metadata.yaml
+++ b/.github/workflows/validate-r2c-registry-metadata.yaml
@@ -35,7 +35,7 @@ jobs:
         run: echo $CHANGED_FILES
       - uses: actions/setup-python@v2
         with:
-          python-version: 3.9.2
+          python-version: 3.9.23
       - name: install deps
         run: pip install jsonschema pyyaml
       - name: validate metadata