From 8d75e791928610a6f1eefcdd3013273e3e520377 Mon Sep 17 00:00:00 2001
From: Oleg Smirnov <oleg31101996@gmail.com>
Date: Sat, 17 May 2025 18:00:04 +0200
Subject: [PATCH 1/4] do not automerge PRs for github actions

---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 1d6f9c4..256e775 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -99,7 +99,7 @@ jobs:
     needs: build
     runs-on: ubuntu-latest
 
-    if: (!cancelled() && github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]')
+    if: (!cancelled() && github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' && !contains(github.event.pull_request.labels.*.name, 'github_actions'))
 
     permissions:
       contents: write

From 75c5559fdfdf835ce665b4cbf1554698791121e7 Mon Sep 17 00:00:00 2001
From: Oleg Smirnov <oleg31101996@gmail.com>
Date: Sat, 17 May 2025 18:07:26 +0200
Subject: [PATCH 2/4] hash-pin actions that interact with docker image

---
 .github/workflows/build-all.yml   | 8 ++++----
 .github/workflows/build-image.yml | 8 ++++----
 zizmor.yml                        | 2 ++
 3 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/build-all.yml b/.github/workflows/build-all.yml
index d754018..3976703 100644
--- a/.github/workflows/build-all.yml
+++ b/.github/workflows/build-all.yml
@@ -54,7 +54,7 @@ jobs:
 
       - name: Build
         id: build_image
-        uses: redhat-actions/buildah-build@v2
+        uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13
         with:
           context: '.'
           containerfiles: |
@@ -93,7 +93,7 @@ jobs:
         run: echo "current_version=${CURRENT_VERSION}"
 
       - name: Log in to ghcr.io
-        uses: redhat-actions/podman-login@v1
+        uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
           username: ${{ github.actor }}
           password: ${{ github.token }}
@@ -107,14 +107,14 @@ jobs:
 
       - name: Publish
         id: push
-        uses: redhat-actions/push-to-registry@v2
+        uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8
         with:
           image: ${{ steps.build_image.outputs.image }}
           tags: ${{ steps.current-version.outputs.value }} ${{ steps.build_image.outputs.tags }}
           registry: ${{ env.IMAGE_REGISTRY }}
 
       - name: Generate attestation for images
-        uses: actions/attest-build-provenance@v2
+        uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0
         with:
           subject-name: ${{ env.IMAGE_REGISTRY }}/${{ steps.build_image.outputs.image }}
           subject-digest: ${{ steps.push.outputs.digest }}
diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml
index f94cc72..dd730d3 100644
--- a/.github/workflows/build-image.yml
+++ b/.github/workflows/build-image.yml
@@ -50,7 +50,7 @@ jobs:
 
       - name: Build
         id: build_image
-        uses: redhat-actions/buildah-build@v2
+        uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # 2.13
         with:
           context: '.'
           containerfiles: |
@@ -85,7 +85,7 @@ jobs:
           echo "Collected version: $version"
 
       - name: Log in to ghcr.io
-        uses: redhat-actions/podman-login@v1
+        uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
           username: ${{ github.actor }}
           password: ${{ github.token }}
@@ -101,7 +101,7 @@ jobs:
 
       - name: Publish
         id: push
-        uses: redhat-actions/push-to-registry@v2
+        uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8
         with:
           image: ${{ steps.build_image.outputs.image }}
           tags: ${{ steps.current-version.outputs.value }} ${{ steps.build_image.outputs.tags }}
@@ -109,7 +109,7 @@ jobs:
         if: inputs.publish-image
 
       - name: Generate attestation for images
-        uses: actions/attest-build-provenance@v2
+        uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0
         with:
           subject-name: ${{ env.IMAGE_REGISTRY }}/${{ steps.build_image.outputs.image }}
           subject-digest: ${{ steps.push.outputs.digest }}
diff --git a/zizmor.yml b/zizmor.yml
index efced06..272a5f2 100644
--- a/zizmor.yml
+++ b/zizmor.yml
@@ -2,5 +2,7 @@ rules:
   unpinned-uses:
     config:
       policies:
+        actions/attest-build-provenance: hash-pin
         actions/*: ref-pin
+        redhat-actions/*: hash-pin
         "*": ref-pin

From d3489e5a334511b01b9b27aa8aa2c1eb54dfc0c9 Mon Sep 17 00:00:00 2001
From: Oleg Smirnov <oleg31101996@gmail.com>
Date: Sat, 17 May 2025 19:00:59 +0200
Subject: [PATCH 3/4] return actions/attest-build-provenance to be pinned by
 ref

---
 .github/workflows/build-all.yml   | 2 +-
 .github/workflows/build-image.yml | 2 +-
 zizmor.yml                        | 1 -
 3 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build-all.yml b/.github/workflows/build-all.yml
index 3976703..e752e51 100644
--- a/.github/workflows/build-all.yml
+++ b/.github/workflows/build-all.yml
@@ -114,7 +114,7 @@ jobs:
           registry: ${{ env.IMAGE_REGISTRY }}
 
       - name: Generate attestation for images
-        uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0
+        uses: actions/attest-build-provenance@v2
         with:
           subject-name: ${{ env.IMAGE_REGISTRY }}/${{ steps.build_image.outputs.image }}
           subject-digest: ${{ steps.push.outputs.digest }}
diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml
index dd730d3..d4d9ac7 100644
--- a/.github/workflows/build-image.yml
+++ b/.github/workflows/build-image.yml
@@ -109,7 +109,7 @@ jobs:
         if: inputs.publish-image
 
       - name: Generate attestation for images
-        uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0
+        uses: actions/attest-build-provenance@v2
         with:
           subject-name: ${{ env.IMAGE_REGISTRY }}/${{ steps.build_image.outputs.image }}
           subject-digest: ${{ steps.push.outputs.digest }}
diff --git a/zizmor.yml b/zizmor.yml
index 272a5f2..6cb820e 100644
--- a/zizmor.yml
+++ b/zizmor.yml
@@ -2,7 +2,6 @@ rules:
   unpinned-uses:
     config:
       policies:
-        actions/attest-build-provenance: hash-pin
         actions/*: ref-pin
         redhat-actions/*: hash-pin
         "*": ref-pin

From b86f9b0901305df378805fc759df99d9daf41260 Mon Sep 17 00:00:00 2001
From: Oleg Smirnov <oleg31101996@gmail.com>
Date: Sat, 17 May 2025 19:05:17 +0200
Subject: [PATCH 4/4] add bowtie to list of allowed ref-pin actions

---
 zizmor.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/zizmor.yml b/zizmor.yml
index 6cb820e..28129c7 100644
--- a/zizmor.yml
+++ b/zizmor.yml
@@ -3,5 +3,4 @@ rules:
     config:
       policies:
         actions/*: ref-pin
-        redhat-actions/*: hash-pin
-        "*": ref-pin
+        bowtie-json-schema/bowtie: ref-pin