gha: Pin third-party actions to commit hashes

A popular third-party action has recently been compromised [1][2] and the attacker managed to point multiple git version tags to a malicious commit containing code to exfiltrate secrets. This PR follows GitHub's recommendation [3] to pin third-party actions to a full-length commit hash, to mitigate such attacks. Hopefully actionlint starts warning about this soon [4]. [1] https://www.cve.org/CVERecord?id=CVE-2025-30066 [2] https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised [3] https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions [4] https://github.com/rhysd/actionlint/pull/436 Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-04-27 03:21:04 +00:00 · 2025-03-17 12:23:15 -05:00 · 2025-03-17 12:23:15 -05:00 · a678046d13
commit a678046d13
parent ba5b0777b5
24 changed files with 64 additions and 64 deletions
--- a/.github/cargo-deny-composite-action/cargo-deny-skeleton.yaml.in
+++ b/.github/cargo-deny-composite-action/cargo-deny-skeleton.yaml.in
@ -21,7 +21,7 @@ runs:
        override: true

    - name: Cache
-      uses: Swatinem/rust-cache@v2
+      uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7

    - name: Install Cargo deny
      shell: bash
--- a/.github/workflows/PR-wip-checks.yaml
+++ b/.github/workflows/PR-wip-checks.yaml
@ -20,7 +20,7 @@ jobs:
    steps:
    - name: WIP Check
      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
-      uses: tim-actions/wip-check@1c2a1ca6c110026b3e2297bb2ef39e1747b5a755
+      uses: tim-actions/wip-check@1c2a1ca6c110026b3e2297bb2ef39e1747b5a755 # master (2021-06-10)
      with:
        labels: '["do-not-merge", "wip", "rfc"]'
        keywords: '["WIP", "wip", "RFC", "rfc", "dnm", "DNM", "do-not-merge"]'
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@ -68,7 +68,7 @@ jobs:
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
@ -110,13 +110,13 @@ jobs:
          echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
          echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"

-      - uses: oras-project/setup-oras@v1
+      - uses: oras-project/setup-oras@5c0b487ce3fe0ce3ab0d034e63669e426e294e4d # v1.2.2
        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
        with:
          version: "1.2.0"

      # for pushing attestations to the registry
-      - uses: docker/login-action@v3
+      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
        with:
          registry: ghcr.io
@ -163,7 +163,7 @@ jobs:
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
@ -226,7 +226,7 @@ jobs:
          - kernel-nvidia-gpu-confidential-headers
          - pause-image
    steps:
-      - uses: geekyeggo/delete-artifact@v5
+      - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
        with:
          name: kata-artifacts-amd64-${{ matrix.asset}}${{ inputs.tarball-suffix }}

@ -239,7 +239,7 @@ jobs:
        asset:
          - agent
    steps:
-      - uses: geekyeggo/delete-artifact@v5
+      - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
        if: ${{ inputs.stage == 'release' }}
        with:
          name: kata-artifacts-amd64-${{ matrix.asset}}${{ inputs.tarball-suffix }}
@ -250,7 +250,7 @@ jobs:
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
--- a/.github/workflows/build-kata-static-tarball-arm64.yaml
+++ b/.github/workflows/build-kata-static-tarball-arm64.yaml
@ -48,7 +48,7 @@ jobs:
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
@ -89,13 +89,13 @@ jobs:
          echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
          echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"

-      - uses: oras-project/setup-oras@v1
+      - uses: oras-project/setup-oras@5c0b487ce3fe0ce3ab0d034e63669e426e294e4d # v1.2.2
        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
        with:
          version: "1.2.0"

      # for pushing attestations to the registry
-      - uses: docker/login-action@v3
+      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
        with:
          registry: ghcr.io
@ -138,7 +138,7 @@ jobs:
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
@ -197,7 +197,7 @@ jobs:
          - busybox
          - kernel-nvidia-gpu-headers
    steps:
-      - uses: geekyeggo/delete-artifact@v5
+      - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
        with:
          name: kata-artifacts-arm64-${{ matrix.asset}}${{ inputs.tarball-suffix }}

@ -210,7 +210,7 @@ jobs:
        asset:
          - agent
    steps:
-      - uses: geekyeggo/delete-artifact@v5
+      - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
        if: ${{ inputs.stage == 'release' }}
        with:
          name: kata-artifacts-arm64-${{ matrix.asset}}${{ inputs.tarball-suffix }}
@ -221,7 +221,7 @@ jobs:
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
--- a/.github/workflows/build-kata-static-tarball-ppc64le.yaml
+++ b/.github/workflows/build-kata-static-tarball-ppc64le.yaml
@ -36,7 +36,7 @@ jobs:
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
@ -89,7 +89,7 @@ jobs:
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
@ -147,7 +147,7 @@ jobs:
        asset:
          - agent
    steps:
-      - uses: geekyeggo/delete-artifact@v5
+      - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
        if: ${{ inputs.stage == 'release' }}
        with:
          name: kata-artifacts-ppc64le-${{ matrix.asset}}${{ inputs.tarball-suffix }}
@ -158,7 +158,7 @@ jobs:
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
--- a/.github/workflows/build-kata-static-tarball-riscv64.yaml
+++ b/.github/workflows/build-kata-static-tarball-riscv64.yaml
@ -37,7 +37,7 @@ jobs:
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
--- a/.github/workflows/build-kata-static-tarball-s390x.yaml
+++ b/.github/workflows/build-kata-static-tarball-s390x.yaml
@ -44,7 +44,7 @@ jobs:
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
@ -87,7 +87,7 @@ jobs:
          echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"

      # for pushing attestations to the registry
-      - uses: docker/login-action@v3
+      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
        with:
          registry: ghcr.io
@ -122,7 +122,7 @@ jobs:
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
@ -227,7 +227,7 @@ jobs:
          - coco-guest-components
          - pause-image
    steps:
-      - uses: geekyeggo/delete-artifact@v5
+      - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
        if: ${{ inputs.stage == 'release' }}
        with:
          name: kata-artifacts-s390x-${{ matrix.asset}}${{ inputs.tarball-suffix }}
@ -238,7 +238,7 @@ jobs:
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
--- a/.github/workflows/ci-weekly.yaml
+++ b/.github/workflows/ci-weekly.yaml
@ -54,20 +54,20 @@ jobs:
          TARGET_BRANCH: ${{ inputs.target-branch }}

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0

      - name: Login to Kata Containers ghcr.io
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Docker build and push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
        with:
          tags: ghcr.io/kata-containers/test-images:unencrypted-${{ inputs.pr-number }}
          push: true
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@ -122,20 +122,20 @@ jobs:
          TARGET_BRANCH: ${{ inputs.target-branch }}

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0

      - name: Login to Kata Containers ghcr.io
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Docker build and push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
        with:
          tags: ghcr.io/kata-containers/test-images:unencrypted-${{ inputs.pr-number }}
          push: true
@ -175,17 +175,17 @@ jobs:
          cp /opt/kata/bin/csi-kata-directvolume src/tools/csi-kata-directvolume/bin/directvolplugin

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0

      - name: Login to Kata Containers ghcr.io
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Docker build and push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
        with:
          tags: ghcr.io/kata-containers/csi-kata-directvolume:${{ inputs.pr-number }}
          push: true
--- a/.github/workflows/commit-message-check.yaml
+++ b/.github/workflows/commit-message-check.yaml
@ -26,7 +26,7 @@ jobs:
    - name: Get PR Commits
      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
      id: 'get-pr-commits'
-      uses: tim-actions/get-pr-commits@v1.2.0
+      uses: tim-actions/get-pr-commits@c64db31d359214d244884dd68f971a110b29ab83 # v1.2.0
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        # Filter out revert commits
@ -41,19 +41,19 @@ jobs:

    - name: DCO Check
      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
-      uses: tim-actions/dco@2fd0504dc0d27b33f542867c300c60840c6dcb20
+      uses: tim-actions/dco@2fd0504dc0d27b33f542867c300c60840c6dcb20 # master (2020-04-28)
      with:
        commits: ${{ steps.get-pr-commits.outputs.commits }}

    - name: Commit Body Missing Check
      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
-      uses: tim-actions/commit-body-check@v1.0.2
+      uses: tim-actions/commit-body-check@d2e0e8e1f0332b3281c98867c42a2fbe25ad3f15 # v1.0.2
      with:
        commits: ${{ steps.get-pr-commits.outputs.commits }}

    - name: Check Subject Line Length
      if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
-      uses: tim-actions/commit-message-checker-with-regex@v0.3.1
+      uses: tim-actions/commit-message-checker-with-regex@d6d9770051dd6460679d1cab1dcaa8cffc5c2bbd # v0.3.1
      with:
        commits: ${{ steps.get-pr-commits.outputs.commits }}
        pattern: '^.{0,75}(\n.*)*$'
@ -62,7 +62,7 @@ jobs:

    - name: Check Body Line Length
      if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
-      uses: tim-actions/commit-message-checker-with-regex@v0.3.1
+      uses: tim-actions/commit-message-checker-with-regex@d6d9770051dd6460679d1cab1dcaa8cffc5c2bbd # v0.3.1
      with:
        commits: ${{ steps.get-pr-commits.outputs.commits }}
        # Notes:
@ -93,7 +93,7 @@ jobs:

    - name: Check Subsystem
      if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
-      uses: tim-actions/commit-message-checker-with-regex@v0.3.1
+      uses: tim-actions/commit-message-checker-with-regex@d6d9770051dd6460679d1cab1dcaa8cffc5c2bbd # v0.3.1
      with:
        commits: ${{ steps.get-pr-commits.outputs.commits }}
        pattern: '^[\s\t]*[^:\s\t]+[\s\t]*:'
--- a/.github/workflows/payload-after-push.yaml
+++ b/.github/workflows/payload-after-push.yaml
@ -101,7 +101,7 @@ jobs:
        uses: actions/checkout@v4

      - name: Login to Kata Containers quay.io
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
--- a/.github/workflows/publish-kata-deploy-payload.yaml
+++ b/.github/workflows/publish-kata-deploy-payload.yaml
@ -53,7 +53,7 @@ jobs:

      - name: Login to Kata Containers quay.io
        if: ${{ inputs.registry == 'quay.io' }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
@ -61,7 +61,7 @@ jobs:

      - name: Login to Kata Containers ghcr.io
        if: ${{ inputs.registry == 'ghcr.io' }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
--- a/.github/workflows/release-amd64.yaml
+++ b/.github/workflows/release-amd64.yaml
@ -19,13 +19,13 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Login to Kata Containers docker.io
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Login to Kata Containers quay.io
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
--- a/.github/workflows/release-arm64.yaml
+++ b/.github/workflows/release-arm64.yaml
@ -19,13 +19,13 @@ jobs:
    runs-on: ubuntu-22.04-arm
    steps:
      - name: Login to Kata Containers docker.io
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Login to Kata Containers quay.io
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
--- a/.github/workflows/release-ppc64le.yaml
+++ b/.github/workflows/release-ppc64le.yaml
@ -19,13 +19,13 @@ jobs:
    runs-on: ppc64le
    steps:
      - name: Login to Kata Containers docker.io
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Login to Kata Containers quay.io
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
--- a/.github/workflows/release-s390x.yaml
+++ b/.github/workflows/release-s390x.yaml
@ -19,13 +19,13 @@ jobs:
    runs-on: s390x
    steps:
      - name: Login to Kata Containers docker.io
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Login to Kata Containers quay.io
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -53,13 +53,13 @@ jobs:
        uses: actions/checkout@v4

      - name: Login to Kata Containers docker.io
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Login to Kata Containers quay.io
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
@ -183,7 +183,7 @@ jobs:
        uses: actions/checkout@v4

      - name: Install helm
-        uses: azure/setup-helm@v4.2.0
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
        id: install

      - name: Generate and upload helm chart tarball
--- a/.github/workflows/run-k8s-tests-on-aks.yaml
+++ b/.github/workflows/run-k8s-tests-on-aks.yaml
@ -103,7 +103,7 @@ jobs:
          AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}

      - name: Create AKS cluster
-        uses: nick-fields/retry@v3
+        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
        with:
          timeout_minutes: 15
          max_attempts: 20
--- a/.github/workflows/run-kata-coco-stability-tests.yaml
+++ b/.github/workflows/run-kata-coco-stability-tests.yaml
@ -87,7 +87,7 @@ jobs:
          AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}

      - name: Create AKS cluster
-        uses: nick-fields/retry@v3
+        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
        with:
          timeout_minutes: 15
          max_attempts: 20
--- a/.github/workflows/run-kata-coco-tests.yaml
+++ b/.github/workflows/run-kata-coco-tests.yaml
@ -257,7 +257,7 @@ jobs:
          AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}

      - name: Create AKS cluster
-        uses: nick-fields/retry@v3
+        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
        with:
          timeout_minutes: 15
          max_attempts: 20
--- a/.github/workflows/run-kata-deploy-tests-on-aks.yaml
+++ b/.github/workflows/run-kata-deploy-tests-on-aks.yaml
@ -71,7 +71,7 @@ jobs:
          AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}

      - name: Create AKS cluster
-        uses: nick-fields/retry@v3
+        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
        with:
          timeout_minutes: 15
          max_attempts: 20
--- a/.github/workflows/shellcheck.yaml
+++ b/.github/workflows/shellcheck.yaml
@ -25,6 +25,6 @@ jobs:

      - uses: actions/checkout@v4
      - name: Run ShellCheck
-        uses: ludeeus/action-shellcheck@master
+        uses: ludeeus/action-shellcheck@00b27aa7cb85167568cb48a3838b75f4265f2bca # master (2024-06-20)
        with:
          ignore_paths: "**/vendor/**"
--- a/.github/workflows/shellcheck_required.yaml
+++ b/.github/workflows/shellcheck_required.yaml
@ -26,7 +26,7 @@ jobs:

      - uses: actions/checkout@v4
      - name: Run ShellCheck
-        uses: ludeeus/action-shellcheck@master
+        uses: ludeeus/action-shellcheck@00b27aa7cb85167568cb48a3838b75f4265f2bca # master (2024-06-20)
        with:
          severity: error
          ignore_paths: "**/vendor/**"
--- a/src/runtime/pkg/govmm/.github/workflows/main.yml
+++ b/src/runtime/pkg/govmm/.github/workflows/main.yml
@ -15,7 +15,7 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@4696ba8babb6127d732c3c6dde519db15edab9ea # v6.5.1
        with:
          version: latest
          args: -c .golangci.yml -v