From e3d59dc54b368678c3fbe25f670864d40107c1d6 Mon Sep 17 00:00:00 2001
From: Andrew Konchin <andrii.konchyn@oracle.com>
Date: Tue, 22 Apr 2025 12:05:15 +0300
Subject: [PATCH] Fix potential security breach and specify commit SHA1 for
 actions/download-artifact GitHub action instead of a tag

---
 .github/workflows/ci.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e1e162e714a..342ac6fb356 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -137,7 +137,7 @@ jobs:
     - name: Setup jt
       run: echo "SYSTEM_RUBY=$(which ruby)" >> $GITHUB_ENV && echo "$PWD/bin" >> $GITHUB_PATH
 
-    - uses: actions/download-artifact@v4
+    - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: truffleruby-jvm
     - uses: ./.github/actions/setup-truffleruby
@@ -164,7 +164,7 @@ jobs:
       - name: Setup jt
         run: echo "SYSTEM_RUBY=$(which ruby)" >> $GITHUB_ENV && echo "$PWD/bin" >> $GITHUB_PATH
 
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: truffleruby-jvm
       - uses: ./.github/actions/setup-truffleruby
@@ -183,7 +183,7 @@ jobs:
       - name: Setup jt
         run: echo "SYSTEM_RUBY=$(which ruby)" >> $GITHUB_ENV && echo "$PWD/bin" >> $GITHUB_PATH
 
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: truffleruby-jvm
       - uses: ./.github/actions/setup-truffleruby
@@ -202,7 +202,7 @@ jobs:
       - name: Setup jt
         run: echo "SYSTEM_RUBY=$(which ruby)" >> $GITHUB_ENV && echo "$PWD/bin" >> $GITHUB_PATH
 
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: truffleruby-native
       - uses: ./.github/actions/setup-truffleruby
@@ -228,7 +228,7 @@ jobs:
       - name: Setup jt
         run: echo "SYSTEM_RUBY=$(which ruby)" >> $GITHUB_ENV && echo "$PWD/bin" >> $GITHUB_PATH
 
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: truffleruby-native
       - uses: ./.github/actions/setup-truffleruby