chore(deps): pin dependencies

renovate-sh-app[bot] · web-flow · commit e0da32a7e241 · 2026-04-22T14:01:31.000Z
Signed-off-by: renovate-sh-app[bot] &lt;219655108+renovate-sh-app[bot]@users.noreply.github.com&gt;
diff --git a/.github/workflows/org-required-trufflehog.yml b/.github/workflows/org-required-trufflehog.yml
@@ -21,7 +21,7 @@ permissions:
 jobs:
   secret-scan:
     name: TruffleHog Secret Scan
-    uses: grafana/security-github-actions/.github/workflows/reusable-trufflehog.yml@main
+    uses: grafana/security-github-actions/.github/workflows/reusable-trufflehog.yml@8b10f82433323c48383277b3abc8c87d26564e63 # main
     with:
       # Non-blocking: job succeeds; PR still gets comments/artifacts when findings exist
       fail-on-verified: "false"      # Set "true" to fail on verified secrets
diff --git a/.github/workflows/semgrep.yaml b/.github/workflows/semgrep.yaml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     container:
       # A Docker image with Semgrep installed. Do not change this.
-      image: semgrep/semgrep:1.152.0
+      image: semgrep/semgrep:1.152.0@sha256:e04d2cb132288d90035db8791d64f610cb255b21e727b94db046243b30c01ae9
     steps:
       # Fetch project source with GitHub Actions Checkout.
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
