From 224907d153a04bf89781c1058d14c19958415dd1 Mon Sep 17 00:00:00 2001
From: Henner Zeller <h.zeller@acm.org>
Date: Mon, 25 May 2026 19:21:05 +0200
Subject: [PATCH 1/2] Explicitly mark dependencies as keep for bracket-headers
 used.

This project uses bracket includes for dependencies that are
actually vendored via the MODULE.bazel.
So they should use `"zlib.h"`, `"tcl.h"` etc, but here they
use `<zlib.h>`, `<tcl.h>` which makes them look like system headers.

They are meant to be using the vendored headers, to explicitly tell
build_cleaner (`bant`) that the dependencies should be kept.
(ideally, we fix the includes, but since this is a fork, this might
be harder to maintain).

Also keeps `@openmp` for now, but see #364 if this is actually
needed.

Signed-off-by: Henner Zeller <h.zeller@acm.org>
---
 BUILD | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/BUILD b/BUILD
index 1c493f06..5d867b50 100644
--- a/BUILD
+++ b/BUILD
@@ -396,11 +396,11 @@ cc_library(
     visibility = ["//:__subpackages__"],
     deps = [
         "@cudd",
-        "@eigen",
-        "@openmp",
+        "@eigen",  # keep. Is used, but with <>-includes
+        "@openmp",  # keep. Is needed ? Nobody includes omp.h
         "@rules_flex//flex:current_flex_toolchain",
-        "@tcl_lang//:tcl",
-        "@zlib",
+        "@tcl_lang//:tcl",  # keep. Is used, but with <>-includes
+        "@zlib",  # keep. Is used, but with <>-includes
     ],
 )
 

From 38442a61a757d587a8b478c149c56a2e47050dad Mon Sep 17 00:00:00 2001
From: Vitor Bandeira <vvbandeira@precisioninno.com>
Date: Wed, 27 May 2026 14:34:50 -0300
Subject: [PATCH 2/2] gha: use commit sha instead of version/tag

Using commit sha helps prevent chain attacks that have become common.

Signed-off-by: Vitor Bandeira <vvbandeira@precisioninno.com>
---
 .github/workflows/buildifier.yaml                          | 4 ++--
 .github/workflows/ci.yml                                   | 6 +++---
 .github/workflows/github-actions-are-differences-found.yml | 2 +-
 .github/workflows/on-push.yml                              | 2 +-
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/buildifier.yaml b/.github/workflows/buildifier.yaml
index 1f00a3a8..cbadadf6 100644
--- a/.github/workflows/buildifier.yaml
+++ b/.github/workflows/buildifier.yaml
@@ -25,11 +25,11 @@ jobs:
 
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Cache buildifier
         id: cache-buildifier
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae  # v5.0.5
         with:
           path: ./buildifier
           key: ${{ runner.os }}-buildifier-${{ env.BUILDIFIER_VERSION }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 62c82e2b..51ea44a6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           submodules: true
 
@@ -48,7 +48,7 @@ jobs:
           ./regression
 
       - name: Upload Artifacts
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         if: ${{ !cancelled() }}
         with:
           name: artifact
@@ -57,7 +57,7 @@ jobs:
           retention-days: 1
 
       - name: Upload Test Result
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         if: ${{ !cancelled() }}
         with:
           name: result
diff --git a/.github/workflows/github-actions-are-differences-found.yml b/.github/workflows/github-actions-are-differences-found.yml
index 45436800..19b8b3ba 100644
--- a/.github/workflows/github-actions-are-differences-found.yml
+++ b/.github/workflows/github-actions-are-differences-found.yml
@@ -8,7 +8,7 @@ jobs:
     runs-on: ${{ vars.USE_SELF_HOSTED == 'true' && 'self-hosted' || 'ubuntu-latest' }}
     steps:
       - name: Check out repository code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           fetch-depth: 0
       - name: Check ok files
diff --git a/.github/workflows/on-push.yml b/.github/workflows/on-push.yml
index 2452422a..1d1c064f 100644
--- a/.github/workflows/on-push.yml
+++ b/.github/workflows/on-push.yml
@@ -11,6 +11,6 @@ jobs:
     runs-on: ${{ vars.USE_SELF_HOSTED == 'true' && 'self-hosted' || 'ubuntu-latest' }}
     steps:
       - name: Check out repository code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       - name: run security_scan_on_push
         uses: The-OpenROAD-Project/actions/security_scan_on_push@main