From f8eff3c1834011b1a676d19005629c5d554c2160 Mon Sep 17 00:00:00 2001
From: Damien Retzinger <damienwebdev@gmail.com>
Date: Mon, 27 Apr 2026 13:36:56 -0400
Subject: [PATCH] ci: update release refs to specific versions

---
 .github/workflows/release-please.yml | 38 +++++++++++++++++++++++++++-
 1 file changed, 37 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 3d8a45d..9d4107c 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -8,7 +8,43 @@ on:
 jobs:
   release-please:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
-      - uses: googleapis/release-please-action@v4
+      - id: release
+        uses: googleapis/release-please-action@v4
         with:
           token: ${{ secrets.GRAYCORE_GITHUB_TOKEN }}
+
+      - name: Checkout release PR branch
+        if: steps.release.outputs.pr
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ fromJSON(steps.release.outputs.pr).headBranchName }}
+          token: ${{ secrets.GRAYCORE_GITHUB_TOKEN }}
+
+      - name: Pin refs on release PR branch
+        if: steps.release.outputs.pr
+        env:
+          GRAYBOT_GPG_KEY: ${{ secrets.GRAYBOT_GPG_KEY }}
+        run: |
+          VERSION="v$(jq -r '."."' .release-please-manifest.json)"
+
+          sed -i "s|uses: graycoreio/github-actions-magento2/\([^@]*\)@main|uses: graycoreio/github-actions-magento2/\1@${VERSION}|g" \
+            */action.yml \
+            $(find .github/workflows \( -name "*.yml" -o -name "*.yaml" \) ! -name "release-*")
+
+          if git diff --quiet; then
+            echo "No changes — refs already pinned to ${VERSION}"
+            exit 0
+          fi
+
+          echo "$GRAYBOT_GPG_KEY" | gpg --batch --import
+          export GPG_KEY_ID=$(gpg --list-secret-keys --keyid-format LONG | grep sec | awk '{print $2}' | cut -d/ -f2)
+          git config --global user.signingkey $GPG_KEY_ID
+          git config --global commit.gpgSign true
+          git config --global user.email "automation@graycore.io"
+          git config --global user.name "Beep Boop"
+          git add .
+          git commit -m "chore: pin internal action refs to ${VERSION}"
+          git push origin ${{ fromJSON(steps.release.outputs.pr).headBranchName }}
\ No newline at end of file