From 419a5b14e90e49e5c94decf4f41cf25168066070 Mon Sep 17 00:00:00 2001
From: Josh Radcliff <jradcliff@users.noreply.github.com>
Date: Thu, 25 Jun 2026 13:58:31 -0400
Subject: [PATCH] build: fix zizmor findings

https://docs.zizmor.sh/audits/
---
 .github/workflows/presubmit.yaml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/presubmit.yaml b/.github/workflows/presubmit.yaml
index 4cfb801..f195334 100644
--- a/.github/workflows/presubmit.yaml
+++ b/.github/workflows/presubmit.yaml
@@ -10,14 +10,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v6
+      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      with:
+        persist-credentials: false
     - name: Set up Java
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5
       with:
         java-version: '11'
         distribution: 'temurin'
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v6
+      uses: gradle/actions/setup-gradle@3f131e8634966bd73d06cc69884922b02e6faf92 # v6
       with:
         cache-disabled: true
     # TODO(jradcliff): Add a lint step. Currently blocked by https://github.com/abcxyz/actions/issues/107.