From 3b0983403936d27a97fccb71decb50b3638494c1 Mon Sep 17 00:00:00 2001
From: Evan Huus <evan@opslevel.com>
Date: Tue, 5 May 2026 15:24:00 -0400
Subject: [PATCH] Harden CI images

---
 .github/workflows/changie-gen.yaml |  4 ++--
 .github/workflows/release.yaml     | 14 +++++++-------
 .github/workflows/reports.yml      |  4 ++--
 .github/workflows/tests.yml        |  8 ++++----
 4 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/changie-gen.yaml b/.github/workflows/changie-gen.yaml
index 33eedb7..b8afd20 100644
--- a/.github/workflows/changie-gen.yaml
+++ b/.github/workflows/changie-gen.yaml
@@ -16,7 +16,7 @@ jobs:
     steps:
     - name: Checkout branch that Dependabot labeled
       if: github.event.workflow_run.conclusion == 'success'
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       with:
         ref: ${{ env.PR_BRANCH }}
         token: ${{ secrets.ORG_GITHUB_TOKEN }}
@@ -39,7 +39,7 @@ jobs:
       if: >-
         github.event.workflow_run.conclusion == 'success' &&
         steps.changelog_check.outputs.exists == 'false'
-      uses: miniscruff/changie-action@v2
+      uses: miniscruff/changie-action@6dcc2533cac0495148ed4046c438487e4dceaa23 # v2
       with:
         version: latest
         args: new --kind Dependency --body "${{ github.event.workflow_run.display_title }}"
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 7fdc10f..d262456 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
           submodules: 'true'
@@ -22,24 +22,24 @@ jobs:
       - name: Fetch All Tags
         run: git fetch --force --tags
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
           go-version-file: src/go.mod
           cache-dependency-path: |
             src/go.sum
       - name: Import GPG Key
         id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@v6
+        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6
         with:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.GPG_PASSPHRASE }}
       - name: Install Task
-        uses: arduino/setup-task@v2
+        uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v2.0.0
         with:
           version: 3.x
           repo-token: ${{ secrets.GITHUB_TOKEN }}
       - name: Login to Public ECR
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: public.ecr.aws
           username: ${{ secrets.ECR_PUBLIC_AWS_ACCESS_KEY_ID }}
@@ -73,9 +73,9 @@ jobs:
           git tag -f ${{ steps.version.outputs.RELEASE_VERSION }} -m "Cut Release '${{ steps.version.outputs.RELEASE_VERSION }}'"
           git push -f origin refs/tags/${{ steps.version.outputs.RELEASE_VERSION }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v6.4.0
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
           args: release --clean --release-notes=../.changes/${{ steps.version.outputs.RELEASE_VERSION }}.md
           workdir: ./src
diff --git a/.github/workflows/reports.yml b/.github/workflows/reports.yml
index bdafb1d..671a6c6 100644
--- a/.github/workflows/reports.yml
+++ b/.github/workflows/reports.yml
@@ -11,12 +11,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       with:
         fetch-depth: 0
         submodules: 'true'
     - name: Snyk Test
-      uses: snyk/actions/golang@master
+      uses: snyk/actions/golang@9cf6ca713d71123d2d229cc3d7f145b96ea3c518 # master
       continue-on-error: true
       env:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 255b70a..2e489af 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -14,25 +14,25 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
           submodules: 'true'
       - name: Fetch all tags
         run: git fetch --force --tags
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
           go-version-file: src/go.mod
           cache-dependency-path: |
             src/go.sum
       - name: Install Task
-        uses: arduino/setup-task@v2
+        uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v2.0.0
         with:
           version: 3.x
           repo-token: ${{ secrets.GITHUB_TOKEN }}
       - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: |
             ~/.cache/go-build