From a64d4402e73bac3068fb3db70577dfb13ef2fbe0 Mon Sep 17 00:00:00 2001
From: Grace Luo <54298030+gracelu0@users.noreply.github.com>
Date: Thu, 13 Feb 2025 15:34:20 -0800
Subject: [PATCH] chore: update workflows to use sha instead of ref (#33442)

### Issue # (if applicable)

n/a

### Reason for this change

To adhere to best security practices

### Description of changes

Update workflows to use sha instead of ref

### Describe any new or updated permissions being added




### Description of how you validated changes



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 .github/workflows/analytics-metadata-updater.yml | 4 ++--
 .github/workflows/lambda-runtime-tests.yml       | 4 ++--
 .github/workflows/request-cli-integ-test.yml     | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/analytics-metadata-updater.yml b/.github/workflows/analytics-metadata-updater.yml
index 171b30becf778..5b8b2e26383da 100644
--- a/.github/workflows/analytics-metadata-updater.yml
+++ b/.github/workflows/analytics-metadata-updater.yml
@@ -16,7 +16,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          ref: ${{ github.event.pull_request.head.ref }}
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Set up Node
         uses: actions/setup-node@v4
@@ -51,4 +51,4 @@ jobs:
           git commit -m "chore: update analytics metadata blueprints"
           git push origin ${{ github.event.pull_request.head.ref }}
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/lambda-runtime-tests.yml b/.github/workflows/lambda-runtime-tests.yml
index 6914e76f08cff..def9fc08daac2 100644
--- a/.github/workflows/lambda-runtime-tests.yml
+++ b/.github/workflows/lambda-runtime-tests.yml
@@ -13,7 +13,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          ref: ${{ github.event.pull_request.head.ref }}
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Set up Node
         uses: actions/setup-node@v4
@@ -48,4 +48,4 @@ jobs:
           git commit -m "chore: update lambda runtime integration tests"
           git push origin ${{ github.event.pull_request.head.ref }}
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/request-cli-integ-test.yml b/.github/workflows/request-cli-integ-test.yml
index cf72cab3789dd..bbb836e17f9be 100644
--- a/.github/workflows/request-cli-integ-test.yml
+++ b/.github/workflows/request-cli-integ-test.yml
@@ -13,7 +13,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          ref: ${{ github.event.pull_request.head.ref }}
+          ref: ${{ github.event.pull_request.head.sha }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           fetch-depth: 0
           persist-credentials: false