From 38453169c5184eb4dbe046ca5e50872a7271b2a6 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Mon, 2 Feb 2026 21:23:51 +0000
Subject: [PATCH 1/5] chore(deps): update actions/checkout action to v6

---
 .github/workflows/update-geolite2.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/update-geolite2.yml b/.github/workflows/update-geolite2.yml
index 51491514..e4d3b55c 100644
--- a/.github/workflows/update-geolite2.yml
+++ b/.github/workflows/update-geolite2.yml
@@ -14,7 +14,7 @@ jobs:
   update-checksum:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
 
       - name: Download and calculate checksum
         id: checksum

From 8908a37dbf750d961830ae6921902ed33405f7e3 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Mon, 2 Feb 2026 21:23:55 +0000
Subject: [PATCH 2/5] chore(deps): update peter-evans/create-pull-request
 action to v8

---
 .github/workflows/update-geolite2.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/update-geolite2.yml b/.github/workflows/update-geolite2.yml
index 51491514..2ba74731 100644
--- a/.github/workflows/update-geolite2.yml
+++ b/.github/workflows/update-geolite2.yml
@@ -105,7 +105,7 @@ jobs:
 
       - name: Create Pull Request
         if: steps.checksum.outputs.needs_update == 'true'
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8
         with:
           title: "chore(docker): update GeoLite2-Country.mmdb checksum"
           body: |

From e2562d27df4b1ac09e151cd0c72dc0774f151384 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Mon, 2 Feb 2026 21:25:31 +0000
Subject: [PATCH 3/5] chore(deps): pin dependencies

---
 .github/workflows/update-geolite2.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/update-geolite2.yml b/.github/workflows/update-geolite2.yml
index 51491514..4684479a 100644
--- a/.github/workflows/update-geolite2.yml
+++ b/.github/workflows/update-geolite2.yml
@@ -14,7 +14,7 @@ jobs:
   update-checksum:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Download and calculate checksum
         id: checksum
@@ -105,7 +105,7 @@ jobs:
 
       - name: Create Pull Request
         if: steps.checksum.outputs.needs_update == 'true'
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6
         with:
           title: "chore(docker): update GeoLite2-Country.mmdb checksum"
           body: |
@@ -160,7 +160,7 @@ jobs:
 
       - name: Report failure via GitHub Issue
         if: failure()
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           script: |
             const errorType = '${{ steps.checksum.outputs.error }}' || 'unknown';

From ffcfb409198ca1866300377d2f0dd9eb0bec77f0 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Mon, 2 Feb 2026 21:25:36 +0000
Subject: [PATCH 4/5] chore(deps): update weekly-non-major-updates

---
 .github/workflows/codeql.yml          | 6 +++---
 .github/workflows/security-pr.yml     | 2 +-
 .github/workflows/supply-chain-pr.yml | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 84072169..6c97f9cf 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -42,7 +42,7 @@ jobs:
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4
+        uses: github/codeql-action/init@6bc82e05fd0ea64601dd4b465378bbcf57de0314 # v4
         with:
           languages: ${{ matrix.language }}
           # Use CodeQL config to exclude documented false positives
@@ -58,10 +58,10 @@ jobs:
           cache-dependency-path: backend/go.sum
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4
+        uses: github/codeql-action/autobuild@6bc82e05fd0ea64601dd4b465378bbcf57de0314 # v4
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4
+        uses: github/codeql-action/analyze@6bc82e05fd0ea64601dd4b465378bbcf57de0314 # v4
         with:
           category: "/language:${{ matrix.language }}"
 
diff --git a/.github/workflows/security-pr.yml b/.github/workflows/security-pr.yml
index c4faa8ff..aadb2d1c 100644
--- a/.github/workflows/security-pr.yml
+++ b/.github/workflows/security-pr.yml
@@ -234,7 +234,7 @@ jobs:
       - name: Upload Trivy SARIF to GitHub Security
         if: steps.check-artifact.outputs.artifact_exists == 'true'
         # github/codeql-action v4
-        uses: github/codeql-action/upload-sarif@f52cbc83091da34ce9a8ae0e3db2f977e8d4ecb2
+        uses: github/codeql-action/upload-sarif@ab5b0e3aabf4de044f07a63754c2110d3ef2df38
         with:
           sarif_file: 'trivy-binary-results.sarif'
           category: ${{ steps.pr-info.outputs.is_push == 'true' && format('security-scan-{0}', github.event.workflow_run.head_branch) || format('security-scan-pr-{0}', steps.pr-info.outputs.pr_number) }}
diff --git a/.github/workflows/supply-chain-pr.yml b/.github/workflows/supply-chain-pr.yml
index 3d1f9b1a..f6b1b0ee 100644
--- a/.github/workflows/supply-chain-pr.yml
+++ b/.github/workflows/supply-chain-pr.yml
@@ -296,7 +296,7 @@ jobs:
       - name: Upload SARIF to GitHub Security
         if: steps.check-artifact.outputs.artifact_found == 'true'
         # github/codeql-action v4
-        uses: github/codeql-action/upload-sarif@f52cbc83091da34ce9a8ae0e3db2f977e8d4ecb2
+        uses: github/codeql-action/upload-sarif@ab5b0e3aabf4de044f07a63754c2110d3ef2df38
         continue-on-error: true
         with:
           sarif_file: grype-results.sarif

From dd28a0d819251d52a98c34317186b80c2801f780 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Mon, 2 Feb 2026 21:25:41 +0000
Subject: [PATCH 5/5] chore(deps): update actions/github-script action to v8

---
 .github/workflows/update-geolite2.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/update-geolite2.yml b/.github/workflows/update-geolite2.yml
index 51491514..32022324 100644
--- a/.github/workflows/update-geolite2.yml
+++ b/.github/workflows/update-geolite2.yml
@@ -160,7 +160,7 @@ jobs:
 
       - name: Report failure via GitHub Issue
         if: failure()
-        uses: actions/github-script@v7
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         with:
           script: |
             const errorType = '${{ steps.checksum.outputs.error }}' || 'unknown';