From db197f63ed476ff4cd5e7ce0e74a080cd1e1a12d Mon Sep 17 00:00:00 2001
From: John Bampton <jbampton@gmail.com>
Date: Wed, 20 May 2026 00:55:38 +1000
Subject: [PATCH] [CI] Pin codeql actions to hash

---
 .github/linters/zizmor.yml   | 1 -
 .github/workflows/codeql.yml | 4 ++--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/linters/zizmor.yml b/.github/linters/zizmor.yml
index 503066ba26e..9906661761e 100644
--- a/.github/linters/zizmor.yml
+++ b/.github/linters/zizmor.yml
@@ -19,7 +19,6 @@ rules:
   unpinned-uses:
     config:
       policies:
-        github/*: any
         r-lib/actions/check-r-package: any
         r-lib/actions/setup-r: any
         r-lib/actions/setup-r-dependencies: any
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index fdaa33084b3..2e358b20bd8 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -45,12 +45,12 @@ jobs:
           persist-credentials: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
         with:
           languages: ${{ matrix.language }}
           build-mode: none
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
         with:
           category: 'Security'