workflows: Pin all actions

Previously zizmor only mandated pinning of third-party actions, but has recommended rolling this out to all actions now. Signed-off-by: stevenhorsman <steven@uk.ibm.com>
workflows: Remove unneeded strategy
2026-02-26 00:32:36 +00:00 · 2026-02-12 16:26:45 +00:00 · 2026-02-12 16:26:45 +00:00 · 2026-02-12 16:26:45 +00:00
6 changed files with 16 additions and 12 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -15,6 +15,8 @@ updates:
      - "/src/tools/trace-forwarder"
    schedule:
      interval: "daily"
+    cooldown:
+      default-days: 7
    ignore:
    # rust-vmm repos might cause incompatibilities on patch versions, so
    # lets handle them manually for now.
@@ -85,8 +87,12 @@ updates:
      - "src/tools/csi-kata-directvolume"
    schedule:
      interval: "daily"
+    cooldown:
+      default-days: 7

  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "monthly"
+    cooldown:
+      default-days: 7
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -72,7 +72,7 @@ jobs:

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10
      with:
        languages: ${{ matrix.language }}
        build-mode: ${{ matrix.build-mode }}
@@ -95,6 +95,6 @@ jobs:
        make -C src/runtime

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10
      with:
        category: "/language:${{matrix.language}}"
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -16,17 +16,17 @@ jobs:
      url: ${{ steps.deployment.outputs.page_url }}
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/configure-pages@v5
-      - uses: actions/checkout@v5
+      - uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: 3.x
      - run: pip install zensical
      - run: zensical build --clean
-      - uses: actions/upload-pages-artifact@v4
+      - uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
        with:
          path: site
-      - uses: actions/deploy-pages@v4
+      - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
        id: deployment
--- a/.github/workflows/run-cri-containerd-tests.yaml
+++ b/.github/workflows/run-cri-containerd-tests.yaml
@@ -35,8 +35,6 @@ on:
 jobs:
  run-cri-containerd:
    name: run-cri-containerd-${{ inputs.arch }} (${{ inputs.containerd_version }}, ${{ inputs.vmm }})
-    strategy:
-      fail-fast: false
    runs-on: ${{ inputs.runner }}
    env:
      CONTAINERD_VERSION: ${{ inputs.containerd_version }}
--- a/.github/workflows/scorecard.yaml
+++ b/.github/workflows/scorecard.yaml
@@ -55,6 +55,6 @@ jobs:
      # Upload the results to GitHub's code scanning dashboard (optional).
      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10
        with:
          sarif_file: results.sarif
--- a/src/runtime/pkg/govmm/.github/workflows/main.yml
+++ b/src/runtime/pkg/govmm/.github/workflows/main.yml
@@ -14,11 +14,11 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
        with:
          go-version: ${{ matrix.go-version }}
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false
      - name: golangci-lint