From e97fe246aa13976231501561027a6b83d9b37bdb Mon Sep 17 00:00:00 2001
From: dagecko <cnyhuis@vigilantnow.com>
Date: Wed, 8 Apr 2026 22:17:39 -0400
Subject: [PATCH] Pin third-party action to commit SHA and move secrets to step
 env (#14937)

---
 .github/workflows/codecov.yml  |  2 +-
 .github/workflows/coverity.yml | 11 ++++++++---
 .github/workflows/daily.yml    |  2 +-
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml
index 82656ac31..5108ec907 100644
--- a/.github/workflows/codecov.yml
+++ b/.github/workflows/codecov.yml
@@ -18,7 +18,7 @@ jobs:
         make lcov
 
     - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@v4
+      uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6
       with:
         token: ${{ secrets.CODECOV_TOKEN }}
         file: ./src/redis.info
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
index 0237c8739..f5d37ae5c 100644
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@@ -14,9 +14,11 @@ jobs:
     - uses: actions/checkout@main
     - name: Download and extract the Coverity Build Tool
       run: |
-          wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=${{ secrets.COVERITY_SCAN_TOKEN }}&project=redis-unstable" -O cov-analysis-linux64.tar.gz
+          wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=${COVERITY_SCAN_TOKEN}&project=redis-unstable" -O cov-analysis-linux64.tar.gz
           mkdir cov-analysis-linux64
           tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64
+      env:
+        COVERITY_SCAN_TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
     - name: Install Redis dependencies
       run: sudo apt install -y gcc tcl8.6 tclx procps libssl-dev
     - name: Build with cov-build
@@ -26,7 +28,10 @@ jobs:
           tar czvf cov-int.tgz cov-int
           curl \
             --form project=redis-unstable \
-            --form email=${{ secrets.COVERITY_SCAN_EMAIL }} \
-            --form token=${{ secrets.COVERITY_SCAN_TOKEN }} \
+            --form email="${COVERITY_SCAN_EMAIL}" \
+            --form token="${COVERITY_SCAN_TOKEN}" \
             --form file=@cov-int.tgz \
             https://scan.coverity.com/builds
+      env:
+        COVERITY_SCAN_EMAIL: ${{ secrets.COVERITY_SCAN_EMAIL }}
+        COVERITY_SCAN_TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
diff --git a/.github/workflows/daily.yml b/.github/workflows/daily.yml
index b70f98618..2f0572444 100644
--- a/.github/workflows/daily.yml
+++ b/.github/workflows/daily.yml
@@ -1224,7 +1224,7 @@ jobs:
       if: true && !contains(github.event.inputs.skiptests, 'cluster')
       run: ./runtest-cluster --log-req-res --dont-clean --force-resp3 ${{github.event.inputs.cluster_test_args}}
     - name: Install Python dependencies
-      uses: py-actions/py-dependency-install@v4
+      uses: py-actions/py-dependency-install@30aa0023464ed4b5b116bd9fbdab87acf01a484e # v4.1.0
       with:
         path: "./utils/req-res-validator/requirements.txt"
     - name: validator