invoke-ai
diff --git a/‎.github/workflows/frontend-checks.yml
+6-1 b/‎.github/workflows/frontend-checks.yml
+6-1
diff --git a/‎.github/workflows/frontend-tests.yml
+6-1 b/‎.github/workflows/frontend-tests.yml
+6-1
diff --git a/‎.github/workflows/python-checks.yml
+6-1 b/‎.github/workflows/python-checks.yml
+6-1
diff --git a/‎.github/workflows/python-tests.yml
+6-1 b/‎.github/workflows/python-tests.yml
+6-1
diff --git a/‎.github/workflows/typegen-checks.yml
+6-1 b/‎.github/workflows/typegen-checks.yml
+6-1
diff --git a/‎configs/controlnet/cldm_v15.yaml
-79 b/‎configs/controlnet/cldm_v15.yaml
-79
diff --git a/‎configs/controlnet/cldm_v21.yaml
-85 b/‎configs/controlnet/cldm_v21.yaml
-85
diff --git a/‎configs/stable-diffusion/sd_xl_base.yaml
-98 b/‎configs/stable-diffusion/sd_xl_base.yaml
-98
@@ -44,7 +44,12 @@ jobs:
       - name: check for changed frontend files
         if: ${{ inputs.always_run != true }}
         id: changed-files
-        uses: tj-actions/changed-files@v42
+        # Pinned to the _hash_ for v45.0.9 to prevent supply-chain attacks.
+        # See:
+        # - CVE-2025-30066
+        # - https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
+        # - https://github.com/tj-actions/changed-files/issues/2463
+        uses: tj-actions/changed-files@a284dc1814e3fd07f2e34267fc8f81227ed29fb8
         with:
           files_yaml: |
             frontend:
 
@@ -44,7 +44,12 @@ jobs:
       - name: check for changed frontend files
         if: ${{ inputs.always_run != true }}
         id: changed-files
-        uses: tj-actions/changed-files@v42
+        # Pinned to the _hash_ for v45.0.9 to prevent supply-chain attacks.
+        # See:
+        # - CVE-2025-30066
+        # - https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
+        # - https://github.com/tj-actions/changed-files/issues/2463
+        uses: tj-actions/changed-files@a284dc1814e3fd07f2e34267fc8f81227ed29fb8
         with:
           files_yaml: |
             frontend:
 
@@ -43,7 +43,12 @@ jobs:
       - name: check for changed python files
         if: ${{ inputs.always_run != true }}
         id: changed-files
-        uses: tj-actions/changed-files@v42
+        # Pinned to the _hash_ for v45.0.9 to prevent supply-chain attacks.
+        # See:
+        # - CVE-2025-30066
+        # - https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
+        # - https://github.com/tj-actions/changed-files/issues/2463
+        uses: tj-actions/changed-files@a284dc1814e3fd07f2e34267fc8f81227ed29fb8
         with:
           files_yaml: |
             python:
 
@@ -77,7 +77,12 @@ jobs:
       - name: check for changed python files
         if: ${{ inputs.always_run != true }}
         id: changed-files
-        uses: tj-actions/changed-files@v42
+        # Pinned to the _hash_ for v45.0.9 to prevent supply-chain attacks.
+        # See:
+        # - CVE-2025-30066
+        # - https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
+        # - https://github.com/tj-actions/changed-files/issues/2463
+        uses: tj-actions/changed-files@a284dc1814e3fd07f2e34267fc8f81227ed29fb8
         with:
           files_yaml: |
             python:
 
@@ -42,7 +42,12 @@ jobs:
       - name: check for changed files
         if: ${{ inputs.always_run != true }}
         id: changed-files
-        uses: tj-actions/changed-files@v42
+        # Pinned to the _hash_ for v45.0.9 to prevent supply-chain attacks.
+        # See:
+        # - CVE-2025-30066
+        # - https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
+        # - https://github.com/tj-actions/changed-files/issues/2463
+        uses: tj-actions/changed-files@a284dc1814e3fd07f2e34267fc8f81227ed29fb8
         with:
           files_yaml: |
             src: