From 0b85962209c9fa8519e7a35a318d5dd2764514a9 Mon Sep 17 00:00:00 2001
From: David Karnok <akarnokd@gmail.com>
Date: Wed, 25 Mar 2026 08:59:12 +0100
Subject: [PATCH 1/5] Pin invoked actions via SHA

Hardening RxJava further.
---
 .github/workflows/gradle-wrapper-validation.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/gradle-wrapper-validation.yml b/.github/workflows/gradle-wrapper-validation.yml
index 2f5e4593ed..58dc8a8ee9 100644
--- a/.github/workflows/gradle-wrapper-validation.yml
+++ b/.github/workflows/gradle-wrapper-validation.yml
@@ -10,4 +10,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: gradle/actions/wrapper-validation@v6
+      - uses: gradle/actions/wrapper-validation@205054a7257716ec64af10a2e2ff1ac5d3b132db # v6
+
+

From ceeef4ed5dc1a15249c3856cd4a2f6d4b171ad67 Mon Sep 17 00:00:00 2001
From: David Karnok <akarnokd@gmail.com>
Date: Wed, 25 Mar 2026 09:00:55 +0100
Subject: [PATCH 2/5] Update discord-release-announce.yml

---
 .github/workflows/discord-release-announce.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/discord-release-announce.yml b/.github/workflows/discord-release-announce.yml
index 1c4bc19867..7ac1bb592e 100644
--- a/.github/workflows/discord-release-announce.yml
+++ b/.github/workflows/discord-release-announce.yml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Send release to Discord
-        uses: SethCohen/github-releases-to-discord@v1  # check exact latest version
+        uses: SethCohen/github-releases-to-discord@1b3dde6c63d699e660bf6e1b5605217b84d700fe # v1
         with:
           webhook_url: ${{ secrets.DISCORD_WEBHOOK_URL }}
           # optional customizations below - most have good defaults

From 3871a251f4a13738ee7346e5164f0677d59d604b Mon Sep 17 00:00:00 2001
From: David Karnok <akarnokd@gmail.com>
Date: Wed, 25 Mar 2026 09:02:11 +0100
Subject: [PATCH 3/5] Update entropy-beauty-scan.yml

---
 .github/workflows/entropy-beauty-scan.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/entropy-beauty-scan.yml b/.github/workflows/entropy-beauty-scan.yml
index 94570d4e0c..3b159dc7c1 100644
--- a/.github/workflows/entropy-beauty-scan.yml
+++ b/.github/workflows/entropy-beauty-scan.yml
@@ -12,12 +12,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code (full history)
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
       - name: Run TruffleHog
-        uses: trufflesecurity/trufflehog@main
+        uses: trufflesecurity/trufflehogactions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         with:
           path: .
           extra_args: --results=verified,unknown --filter-entropy=3.5 --json

From 604ad16d59487b87dbf9648f43cdfbdfe8a2eed8 Mon Sep 17 00:00:00 2001
From: David Karnok <akarnokd@gmail.com>
Date: Wed, 25 Mar 2026 09:02:51 +0100
Subject: [PATCH 4/5] Update release-notify-x.yml

---
 .github/workflows/release-notify-x.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release-notify-x.yml b/.github/workflows/release-notify-x.yml
index 5c38f42042..df25d80c5d 100644
--- a/.github/workflows/release-notify-x.yml
+++ b/.github/workflows/release-notify-x.yml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Post to @RxJava
-        uses: captradeoff/x-post-action@v1.2  # or latest tag
+        uses: captradeoff/x-post-action@d643d2bb835a1c915a056b2241cbda3c444d016d # v1.2
         with:
           appKey: ${{ secrets.X_APP_KEY }}
           appSecret: ${{ secrets.X_APP_SECRET }}

From 1b72f8df7318e6c2cf9f2e871af652e1a1deff33 Mon Sep 17 00:00:00 2001
From: David Karnok <akarnokd@gmail.com>
Date: Wed, 25 Mar 2026 09:08:04 +0100
Subject: [PATCH 5/5] Update entropy-beauty-scan.yml

fix trufflehog pin
---
 .github/workflows/entropy-beauty-scan.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/entropy-beauty-scan.yml b/.github/workflows/entropy-beauty-scan.yml
index 3b159dc7c1..619d1921ca 100644
--- a/.github/workflows/entropy-beauty-scan.yml
+++ b/.github/workflows/entropy-beauty-scan.yml
@@ -17,7 +17,7 @@ jobs:
           fetch-depth: 0
 
       - name: Run TruffleHog
-        uses: trufflesecurity/trufflehogactions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: trufflesecurity/trufflehog@586f66d7886cd0b037c7c245d4a6e34ef357ab10 # main (as of March 2026)
         with:
           path: .
           extra_args: --results=verified,unknown --filter-entropy=3.5 --json