ci(deps): pin dependencies (#1173)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

.github/workflows/build-and-push-component.yaml

@@ -63,28 +63,28 @@ jobs:
           - linux/arm64
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3
 
       - name: Cache Docker layers
-        uses: actions/cache@v4
+        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-buildx-${{ github.ref }}
           restore-keys: |
             ${{ runner.os }}-buildx-
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5
         id: build
         with:
           context: .
@@ -110,7 +110,7 @@ jobs:
 
       - name: Upload digests
         if: inputs.push
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4
         with:
           name: ${{ needs.build-vars.outputs.digests-cache-name }}-${{ steps.digest.outputs.digest }}
           path: /tmp/digests/*
@@ -126,17 +126,17 @@ jobs:
       - build-and-push
     steps:
       - name: Download digests
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4
         with:
           pattern: ${{ needs.build-vars.outputs.digests-cache-name }}-*
           merge-multiple: true
           path: /tmp/digests
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.github/workflows/cache-cleanup.yml

@@ -42,7 +42,7 @@ jobs:
     name: Cleanup cache entries for PR
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Cleanup
         run: ./.github/scripts/cache-cleanup.sh
@@ -60,7 +60,7 @@ jobs:
     name: Cleanup cache entries manually
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Cleanup
         run: ./.github/scripts/cache-cleanup.sh
@@ -79,7 +79,7 @@ jobs:
     name: Cleanup cache entries by age
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Cleanup
         run: ./.github/scripts/cache-cleanup.sh

.github/workflows/ci.yml

@@ -18,18 +18,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
         with:
           # NOTE(chrisgacsal): Use actions/cache for caching Go dependency and build caches
           # as if provides better flexibility like setting the cache key which reduces cache misses significantly.
           cache: false
           go-version-file: '.go-version'
 
       - name: Setup Go caching
-        uses: actions/cache@v4
+        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4
         with:
           path: |
             ~/.cache/go-build
@@ -53,7 +53,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Generate Helm Docs
         run: make gen-helm-docs

.github/workflows/image-cleanup.yml

@@ -38,7 +38,7 @@ jobs:
     name: Cleanup container images for Pull Request
     steps:
       - name: Remove images for PR#${{ github.event.pull_request.number }}
-        uses: snok/container-retention-policy@v2
+        uses: snok/container-retention-policy@b56f4ff7539c1f94f01e5dc726671cd619aa8072 # v2
         with:
           image-names: ${{ env.images }}
           cut-off: 1 second ago UTC
@@ -55,7 +55,7 @@ jobs:
     name: Cleanup stale container images
     steps:
       - name: Remove stale images
-        uses: snok/container-retention-policy@v2
+        uses: snok/container-retention-policy@b56f4ff7539c1f94f01e5dc726671cd619aa8072 # v2
         with:
           image-names: ${{ env.images }}
           cut-off: 7 days ago UTC
@@ -72,7 +72,7 @@ jobs:
     name: Cleanup stale container images
     steps:
       - name: Remove stale images
-        uses: snok/container-retention-policy@v2
+        uses: snok/container-retention-policy@b56f4ff7539c1f94f01e5dc726671cd619aa8072 # v2
         with:
           image-names: ${{ env.images }}
           cut-off: ${{ inputs.cut-off }}

.github/workflows/release.yaml

@@ -33,15 +33,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Create Helm Chart package
         env:
           VERSION: ${{ github.ref_name }}
         run: make dist-helm-chart
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -57,18 +57,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
         with:
           # NOTE(chrisgacsal): Use actions/cache for caching Go dependency and build caches
           # as if provides better flexibility like setting the cache key which reduces cache misses significantly.
           cache: false
           go-version-file: '.go-version'
 
       - name: Setup Go caching
-        uses: actions/cache@v4
+        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4
         with:
           path: |
             ~/.cache/go-build
@@ -104,7 +104,7 @@ jobs:
         run: make dist-gcp-deployment
 
       - name: Upload
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4
         with:
           name: artifacts
           path: |
@@ -126,12 +126,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           fetch-depth: 0
 
       - name: Download artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4
         with:
           name: artifacts
           path: dist
@@ -141,7 +141,7 @@ jobs:
           VERSION: ${{ github.ref_name }}
         run: make generate-release-notes
 
-      - uses: ncipollo/release-action@v1
+      - uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1
         with:
           allowUpdates: true
           artifactErrorsFailBuild: true

.github/workflows/reusable-build-and-push.yml

@@ -31,7 +31,7 @@ jobs:
       timestamp: ${{ steps.timestamp.outputs.timestamp }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Set timestamp
         id: timestamp
@@ -132,7 +132,7 @@ jobs:
       - vmclarity-cr-discovery-server
     steps:
       - name: Post comment with image tags
-        uses: marocchino/sticky-pull-request-comment@v2
+        uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2
         with:
           hide_and_recreate: true
           hide_classify: "OUTDATED"

.github/workflows/reusable-end-to-end-testing.yml

@@ -24,18 +24,18 @@ jobs:
     needs: images
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
         with:
           # NOTE(chrisgacsal): Use actions/cache for caching Go dependency and build caches
           # as if provides better flexibility like setting the cache key which reduces cache misses significantly.
           cache: false
           go-version-file: '.go-version'
 
       - name: Setup Go caching
-        uses: actions/cache@v4
+        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4
         with:
           path: |
             ~/.cache/go-build

.github/workflows/reusable-verification.yml

@@ -8,18 +8,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
         with:
           # NOTE(chrisgacsal): Use actions/cache for caching Go dependency and build caches
           # as if provides better flexibility like setting the cache key which reduces cache misses significantly.
           cache: false
           go-version-file: '.go-version'
 
       - name: License cache
-        uses: actions/cache@v4
+        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4
         with:
           path: |
             .licensei.cache
@@ -49,10 +49,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Setup Cloud Formation Linter with Latest Version
-        uses: scottbrenner/cfn-lint-action@v2
+        uses: scottbrenner/cfn-lint-action@37aa911f6b6a9d8fe9fba4a96e069086a8dc95de # v2
 
       - name: Run linters for Cloudformation
         run: |
@@ -72,7 +72,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Lint Github workflows
         run: |
@@ -84,18 +84,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
         with:
           # NOTE(chrisgacsal): Use actions/cache for caching Go dependency and build caches
           # as if provides better flexibility like setting the cache key which reduces cache misses significantly.
           cache: false
           go-version-file: '.go-version'
 
       - name: Setup Go caching
-        uses: actions/cache@v4
+        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4
         with:
           path: |
             ~/.cache/go-build
@@ -112,7 +112,7 @@ jobs:
           [[ -z "$(git status --porcelain)" ]] || exit 1
 
       - name: Cache golangci-lint cache
-        uses: actions/cache@v4
+        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4
         with:
           path: ${{ github.workspace }}/.golangci.cache
           key: golangci-${{ github.ref_name }}-${{ hashFiles('**/go.sum') }}

.github/workflows/semantic-pr.yml

@@ -16,7 +16,7 @@ jobs:
     name: Validate PR title
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@v5
+      - uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5
         id: lint_pr_title
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -55,7 +55,7 @@ jobs:
             testenv
 
       # Leave a comment if linter reports an error
-      - uses: marocchino/sticky-pull-request-comment@v2
+      - uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2
         if: always() && (steps.lint_pr_title.outputs.error_message != null)
         with:
           header: pr-title-lint-error
@@ -71,7 +71,7 @@ jobs:
             ```
       # Hide error message if the PR title has been fixed
       - if: ${{ steps.lint_pr_title.outputs.error_message == null }}
-        uses: marocchino/sticky-pull-request-comment@v2
+        uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2
         with:
           header: pr-title-lint-error
           delete: true