chore(deps): be explicit about GH actions

.github/workflows/ci.yaml

@@ -3,18 +3,18 @@ name: CI
 on:
   push:
     branches:
-    - '*'
+      - "*"
     tags:
-    - 'v*'
+      - "v*"
   pull_request:
     branches:
-    - '*'
+      - "*"
 
 jobs:
   verify:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       - name: Check Helm generated values are up-to-date
         run: |
           make check-generated-values

.github/workflows/e2e-tests.yml

@@ -3,12 +3,12 @@ name: End-to-end tests
 on:
   push:
     branches:
-    - '*'
+      - "*"
     tags:
-    - 'v*'
+      - "v*"
   pull_request:
     branches:
-    - 'main'
+      - "main"
 
 jobs:
   images:
@@ -21,8 +21,7 @@ jobs:
       policy-server-tag: ${{ steps.get-policy-server.outputs.policy-server-tag }}
     steps:
       - name: "Checkout repository"
-        uses: actions/checkout@v4
-
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       - name: "Get controller container image"
         id: get-controller
         shell: bash
@@ -46,4 +45,3 @@ jobs:
       controller-image-tag: ${{ needs.images.outputs.controller-image-tag }}
       policy-server-repository: ${{ needs.images.outputs.policy-server-repository }}
       policy-server-tag: ${{ needs.images.outputs.policy-server-tag }}
-

.github/workflows/helm-chart-release.yml

@@ -32,8 +32,7 @@ name: Release helm chart
 on:
   push:
     branches:
-    - main
-
+      - main
 
 jobs:
   release:
@@ -44,7 +43,7 @@ jobs:
       contents: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           fetch-depth: 0
 
@@ -58,12 +57,12 @@ jobs:
           make check-generated-values
 
       - name: Install Helm
-        uses: azure/setup-helm@v3
+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
         with:
           version: v3.8.0
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@v3
+        uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
 
       - name: Generate container image files
         run: |
@@ -80,7 +79,7 @@ jobs:
           make generate-changelog-files
 
       - name: Run chart-releaser
-        uses: helm/[email protected]
+        uses: helm/chart-releaser-action@be16258da8010256c6e82849661221415f031968 # v1.5.0
         with:
           charts_dir: charts
         env:
@@ -99,7 +98,7 @@ jobs:
           cp -f artifacthub-repo.yml ./to-gh-pages/
 
       - name: Deploy readme to GH pages
-        uses: peaceiris/[email protected]
+        uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.3
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./to-gh-pages
@@ -143,7 +142,7 @@ jobs:
           done
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}

.github/workflows/update-charts.yml

@@ -14,7 +14,7 @@ jobs:
       prerelease: ${{ steps.check_update_type.outputs.prerelease }}
     steps:
       - name: Validate payload
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         with:
           script: |
             let repository = context.payload.client_payload.repository
@@ -68,7 +68,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Set environment variables
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         with:
           script: |
             core.exportVariable("UPDATECLI_GITHUB_OWNER", context.repo["owner"])
@@ -79,7 +79,7 @@ jobs:
 
       - name: Download CRDS controller
         if: endsWith(github.event.client_payload.repository, 'kubewarden-controller')
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         with:
           script: |
             let repository = context.payload.client_payload.repository
@@ -99,7 +99,7 @@ jobs:
 
       - name: Download CRDS audit-scanner
         if: endsWith(github.event.client_payload.repository, 'audit-scanner')
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         with:
           script: |
             let repository = context.payload.client_payload.repository
@@ -166,10 +166,10 @@ jobs:
     if: needs.check-update-type.outputs.update_type == 'major' || needs.check-update-type.outputs.update_type == 'minor' || needs.check-update-type.outputs.update_type == 'prerelease'
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
 
       - name: Check if all components has a release with the same tag
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         with:
           script: |
             let repository_split = context.payload.client_payload.repository.split("/")
@@ -187,7 +187,7 @@ jobs:
 
       - name: Check if CRD are available in the Kubewarden controller
         id: download_crds_controller
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         with:
           script: |
             let repository_split = context.payload.client_payload.repository.split("/")
@@ -229,7 +229,7 @@ jobs:
 
       - name: Check if CRD are available in the audit scanner
         id: download_crds_audit_scanner
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         with:
           script: |
             let repository_split = context.payload.client_payload.repository.split("/")
@@ -294,7 +294,7 @@ jobs:
           echo "must_update_crds_chart=$?" >> $GITHUB_OUTPUT
 
       - name: Install Updatecli in the runner
-        uses: updatecli/updatecli-action@v2
+        uses: updatecli/updatecli-action@44ba4a4e7e8252bef669b5525de7ca158830750e # v2.35.0
 
       - name: Major or minor update Kubewarden charts with NO CRDs update
         if: steps.update_crds.outputs.must_update_crds_chart==0 &&  (needs.check-update-type.outputs.update_type == 'major' || needs.check-update-type.outputs.update_type == 'minor')

renovate.json

@@ -2,7 +2,10 @@
   "extends": [
     "config:base",
     "group:allNonMajor",
-    "schedule:earlyMondays"
+    "schedule:earlyMondays",
+    "helpers:pinGitHubActionDigests"
   ],
-  "labels": ["dependencies"]
+  "labels": [
+    "dependencies"
+  ]
 }