From 9d34cbf299295fb3e0467ab36c0deb9063851457 Mon Sep 17 00:00:00 2001
From: yve-android <yvonne26sa90@gmail.com>
Date: Tue, 30 Dec 2025 10:35:49 +0100
Subject: [PATCH 1/3] Fix: Pin actions to commit SHA

---
 .github/workflows/build-apk.yml | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/build-apk.yml b/.github/workflows/build-apk.yml
index bbd4855..3392cfd 100644
--- a/.github/workflows/build-apk.yml
+++ b/.github/workflows/build-apk.yml
@@ -14,10 +14,10 @@ jobs:
     
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
     
     - name: Setup Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v5.0.0
       with:
         python-version: '3.11'
     
@@ -30,7 +30,7 @@ jobs:
         pip install buildozer cython==0.29.36
     
     - name: Cache Buildozer
-      uses: actions/cache@v4
+      uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2  # v4.0.0
       with:
         path: |
           .buildozer
@@ -41,8 +41,9 @@ jobs:
       run: buildozer android debug
     
     - name: Upload APK
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8  # v4.3.0
       with:
         name: blacky-apk
         path: bin/*.apk
-        retention-days: 30
+        retention-days: 30o
+        

From 7a98bc2688df9966cd75c3682f3342d90b44ac64 Mon Sep 17 00:00:00 2001
From: yve-android <yvonne26sa90@gmail.com>
Date: Tue, 30 Dec 2025 11:05:01 +0100
Subject: [PATCH 2/3] tools: add GitHub Actions compliance fixer

---
 fix_actions_compliance.sh | 44 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100755 fix_actions_compliance.sh

diff --git a/fix_actions_compliance.sh b/fix_actions_compliance.sh
new file mode 100755
index 0000000..2552231
--- /dev/null
+++ b/fix_actions_compliance.sh
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+WORKFLOW_DIR=".github/workflows"
+BACKUP_DIR=".github/workflows_backup_$(date +%Y%m%d_%H%M%S)"
+
+echo "🚦 Actions Compliance Fix gestartet"
+echo "📁 Workflows: $WORKFLOW_DIR"
+echo "🗂 Backup:    $BACKUP_DIR"
+echo
+
+mkdir -p "$BACKUP_DIR"
+cp -r "$WORKFLOW_DIR"/*.yml "$BACKUP_DIR"/ 2>/dev/null || true
+
+declare -A ACTION_SHAS=(
+  ["actions/checkout@v4"]="actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11"
+  ["actions/setup-python@v5"]="actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d"
+  ["actions/cache@v4"]="actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9"
+  ["actions/upload-artifact@v4"]="actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3"
+)
+
+FOUND=0
+
+for file in "$WORKFLOW_DIR"/*.yml; do
+  echo "🔎 Prüfe $file"
+  for action in "${!ACTION_SHAS[@]}"; do
+    if grep -q "$action" "$file"; then
+      echo "  ❌ Ersetze $action"
+      sed -i "s|$action|${ACTION_SHAS[$action]}|g" "$file"
+      FOUND=1
+    fi
+  done
+done
+
+echo
+if [[ "$FOUND" -eq 1 ]]; then
+  echo "✅ Fix abgeschlossen. Änderungen vorgenommen."
+  echo "➡️  Jetzt ausführen:"
+  echo "   git diff"
+  echo "   git commit -am \"chore(ci): pin GitHub Actions to SHAs\""
+  echo "   git push"
+else
+  echo "🟢 Keine verbotenen Actions gefunden. Alles sauber."
+fi

From 04975261a2b7e9f12c49c6c683a6f1b028d665ac Mon Sep 17 00:00:00 2001
From: yve-android <yvonne26sa90@gmail.com>
Date: Wed, 31 Dec 2025 10:02:22 +0100
Subject: [PATCH 3/3] Fix: Pin actions to commit SHA

---
 .github/workflows/build-apk.yml | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/build-apk.yml b/.github/workflows/build-apk.yml
index 3392cfd..f235032 100644
--- a/.github/workflows/build-apk.yml
+++ b/.github/workflows/build-apk.yml
@@ -14,10 +14,10 @@ jobs:
     
     steps:
     - name: Checkout
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
     
     - name: Setup Python
-      uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v5.0.0
+      uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c
       with:
         python-version: '3.11'
     
@@ -30,7 +30,7 @@ jobs:
         pip install buildozer cython==0.29.36
     
     - name: Cache Buildozer
-      uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2  # v4.0.0
+      uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2
       with:
         path: |
           .buildozer
@@ -41,9 +41,8 @@ jobs:
       run: buildozer android debug
     
     - name: Upload APK
-      uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8  # v4.3.0
+      uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8
       with:
         name: blacky-apk
         path: bin/*.apk
-        retention-days: 30o
-        
+        retention-days: 30