task: Scorecard — fix Pinned-Dependencies on virtual-workspaces (0/10 outlier)

[mirzakopic]

Description

virtual-workspaces has Pinned-Dependencies: 0/10 despite an otherwise solid overall score (7.9). It's an outlier vs peer Go repos that score 1–6 in the same check, which suggests there's nothing pinned at all (likely missing both Action SHA pinning and Dockerfile digest pinning).

This is included as a standalone task because it's a quick win and the repo is otherwise in good shape.

Steps

1. Read the per-repo Scorecard details: https://api.securityscorecards.dev/projects/github.com/platform-mesh/virtual-workspaces → Pinned-Dependencies.details.
2. Apply StepSecurity auto-fix URLs from the JSON to pin all third-party Actions by SHA.
3. Pin any Dockerfile base images by digest.
4. Set up Dependabot/Renovate digest tracking if not already running.

Note

This work is also covered by the org-wide Pinned-Dependencies tracker — keeping this as a standalone task because the 0/10 score makes it the highest-impact single-repo fix in that category. Close this once virtual-workspaces reaches Pinned-Dependencies: ≥ 7/10.

Objectives

• virtual-workspaces reaches Pinned-Dependencies: 8/10 or higher.
• Overall Scorecard score for the repo crosses 8.5.

Demo Required

None

Demo Steps

No response

---

Epic: #278