From 9693334b161619e76058f2308753dc673770fdec Mon Sep 17 00:00:00 2001
From: Haitao Pan <manbuzhe2009@qq.com>
Date: Sun, 12 Apr 2026 18:32:17 +0800
Subject: [PATCH] Pin checkout action to full SHA

---
 .github/workflows/release-traceability.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release-traceability.yml b/.github/workflows/release-traceability.yml
index 5549813..67218c6 100644
--- a/.github/workflows/release-traceability.yml
+++ b/.github/workflows/release-traceability.yml
@@ -14,7 +14,7 @@ jobs:
       service_image_tag: ${{ steps.meta.outputs.service_image_tag }}
       service_image_commit: ${{ steps.meta.outputs.service_image_commit }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Derive image identity
         id: meta
@@ -33,7 +33,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: build
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Deploy via playbook
         env:
@@ -47,7 +47,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: deploy
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Verify traceability script cases
         run: bash ./scripts/github-actions/test-validate-release-traceability.sh