From 184154a4c9306d87fa378f8db58907a798e45590 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 3 Jun 2026 21:37:04 +0000
Subject: [PATCH 1/2] chore(deps): Bump actions/checkout from 4 to 6

Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/skill-frontmatter.yml | 2 +-
 .github/workflows/validate-plugins.yml  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/skill-frontmatter.yml b/.github/workflows/skill-frontmatter.yml
index 3a7e9f0..7f6046a 100644
--- a/.github/workflows/skill-frontmatter.yml
+++ b/.github/workflows/skill-frontmatter.yml
@@ -18,7 +18,7 @@ jobs:
     name: Reject multi-line YAML descriptions
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Check SKILL.md descriptions are single-line
         run: |
diff --git a/.github/workflows/validate-plugins.yml b/.github/workflows/validate-plugins.yml
index 686c072..7b5ce4e 100644
--- a/.github/workflows/validate-plugins.yml
+++ b/.github/workflows/validate-plugins.yml
@@ -17,6 +17,6 @@ jobs:
   validate-plugins:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Validate plugin registrations
         run: node scripts/validate-plugins.mjs

From 1d0d65287173e61bcaa754243ae2859b437f84d8 Mon Sep 17 00:00:00 2001
From: Yordis Prieto <yordis.prieto@gmail.com>
Date: Sun, 7 Jun 2026 20:01:42 -0400
Subject: [PATCH 2/2] chore(ci): pin actions/checkout to immutable SHA

Tag references can be moved; pinning keeps CI behavior stable and
matches the supply-chain pattern used by other workflows.

Signed-off-by: Yordis Prieto <yordis.prieto@gmail.com>
---
 .github/workflows/skill-frontmatter.yml | 2 +-
 .github/workflows/validate-plugins.yml  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/skill-frontmatter.yml b/.github/workflows/skill-frontmatter.yml
index 7f6046a..b84a56d 100644
--- a/.github/workflows/skill-frontmatter.yml
+++ b/.github/workflows/skill-frontmatter.yml
@@ -18,7 +18,7 @@ jobs:
     name: Reject multi-line YAML descriptions
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Check SKILL.md descriptions are single-line
         run: |
diff --git a/.github/workflows/validate-plugins.yml b/.github/workflows/validate-plugins.yml
index 7b5ce4e..4fa4101 100644
--- a/.github/workflows/validate-plugins.yml
+++ b/.github/workflows/validate-plugins.yml
@@ -17,6 +17,6 @@ jobs:
   validate-plugins:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - name: Validate plugin registrations
         run: node scripts/validate-plugins.mjs