📌 Pin GitHub actions (#1303)

LogFlames · web-flow · commit c418ee3e2ea8 · 2025-08-20T13:52:16.000+02:00
diff --git a/.github/workflows/code-qualitiy.yml b/.github/workflows/code-qualitiy.yml
@@ -37,7 +37,7 @@ jobs:
         uses: ./.github/actions/ghasum
 
       - name: Set up JDK 17
-        uses: actions/setup-java@v4.7.1
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           java-version: '17'
           distribution: 'temurin'
@@ -89,7 +89,7 @@ jobs:
         uses: ./.github/actions/ghasum
 
       - name: Set up JDK 17
-        uses: actions/setup-java@v4.7.1
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           java-version: '17'
           distribution: 'temurin'
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -66,14 +66,14 @@ jobs:
         uses: ./.github/actions/ghasum
 
       - name: Set up JDK 17
-        uses: actions/setup-java@v4.7.1
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           java-version: '17'
           distribution: 'temurin'
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3.29.10
+        uses: github/codeql-action/init@96f518a34f7a870018057716cc4d7a5c014bd61c # v3.29.10
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -87,6 +87,6 @@ jobs:
         run: mvn -B  clean package
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3.29.10
+        uses: github/codeql-action/analyze@96f518a34f7a870018057716cc4d7a5c014bd61c # v3.29.10
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -34,4 +34,4 @@ jobs:
         uses: ./.github/actions/ghasum
 
       - name: Dependency review
-        uses: actions/dependency-review-action@v4.7.2
+        uses: actions/dependency-review-action@bc41886e18ea39df68b1b1245f4184881938e050 # v4.7.2
diff --git a/.github/workflows/doc.yml b/.github/workflows/doc.yml
@@ -50,6 +50,6 @@ jobs:
 
       - name: Commit changes
         if: steps.check_changes.outputs.changes == 'true'
-        uses: stefanzweifel/git-auto-commit-action@v6.0.1
+        uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 # v6.0.1
         with:
           commit_message: "📝 Update Documentation with current version"
diff --git a/.github/workflows/gha.sum b/.github/workflows/gha.sum
@@ -1,16 +1,14 @@
 version 1
 
-actions/cache@v4.2.4 Wn6UGuh8/0fkcOLI8uEQmhssKaMEfnm77brXOpwKe7A=
+actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 Wn6UGuh8/0fkcOLI8uEQmhssKaMEfnm77brXOpwKe7A=
 actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 aYx2ZNrV/U9daVa5XJLnuR3depD7lQqzkyRhH4E9bOU=
-actions/dependency-review-action@v4.7.2 Gd1O6ZG0JtkpyKVsxOwIuNtshdlcYheIADUYdNOIOjo=
-actions/setup-go@v5.5.0 vSiNC7HetrtPF3QhZDzPHWyJ1e8pFltzruLjcw65Sok=
+actions/dependency-review-action@bc41886e18ea39df68b1b1245f4184881938e050 Gd1O6ZG0JtkpyKVsxOwIuNtshdlcYheIADUYdNOIOjo=
+actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 vSiNC7HetrtPF3QhZDzPHWyJ1e8pFltzruLjcw65Sok=
 actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 XE1eqHfEOlHsHx+3cUQA1OGC3jxGBnmx7eTIdEzwSoI=
-actions/setup-java@v4.7.1 cKZQn6p38RgADB4MCMpbFp94sScgm/u3B7rEDB9QS5I=
+actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 cKZQn6p38RgADB4MCMpbFp94sScgm/u3B7rEDB9QS5I=
 actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 kZHHfo2NsxevBRTKrZnUpDu0Cxgtj5Vooe4x4rylvg8=
-actions/upload-artifact@v4.6.2 kZHHfo2NsxevBRTKrZnUpDu0Cxgtj5Vooe4x4rylvg8=
 github/codeql-action@96f518a34f7a870018057716cc4d7a5c014bd61c h0CGAC50uRuMQV8hj6pLuc5zMsaXvXYE/35vEhbnEbs=
-github/codeql-action@v3.29.10 h0CGAC50uRuMQV8hj6pLuc5zMsaXvXYE/35vEhbnEbs=
-jreleaser/release-action@2.4.2 Ixc/05XDYYHGUvtC6Jt9gB/mpHPIwBX7PR8At1yEWSs=
+jreleaser/release-action@f69e545b05f149483cecb2fb81866247992694b8 Ixc/05XDYYHGUvtC6Jt9gB/mpHPIwBX7PR8At1yEWSs=
 ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde NlVzVIaycy3fhYp7tgiwvpWvzSsPa48uTVejF6tHEog=
-stefanzweifel/git-auto-commit-action@v6.0.1 5+Y5J+dG+VvtR13IIYuBHcAdJAcnDBQU/U0sRO3YZZw=
+stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 5+Y5J+dG+VvtR13IIYuBHcAdJAcnDBQU/U0sRO3YZZw=
 step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 rG/FhhPP4VlsNB/2lKudn7rieQAYYNLIRb34q19qmFU=
diff --git a/.github/workflows/ghasum.yml b/.github/workflows/ghasum.yml
@@ -35,7 +35,7 @@ jobs:
           mode: update
 
       - name: Commit gha.sum
-        uses: stefanzweifel/git-auto-commit-action@v6.0.1
+        uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 # v6.0.1
         with:
           commit_message: "chore: update ghasum checksums"
           file_pattern: .github/workflows/gha.sum
diff --git a/.github/workflows/jreleaser.yml b/.github/workflows/jreleaser.yml
@@ -42,7 +42,7 @@ jobs:
         uses: ./.github/actions/ghasum
 
       - name: Set up JDK 17
-        uses: actions/setup-java@v4.7.1
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           java-version: '17'
           distribution: 'temurin'
@@ -54,7 +54,7 @@ jobs:
           git config --global user.email "<>"
 
       - name: install go
-        uses: actions/setup-go@v5.5.0
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
 
       - name: install semversion
         run: go install github.com/ffurrer2/semver/cmd/semver@latest
@@ -114,7 +114,7 @@ jobs:
         run: mvn help:evaluate -Dexpression=project.version -q -DforceStdout | sed 's/-SNAPSHOT//'
 
       - name: Run JReleaser
-        uses: jreleaser/release-action@2.4.2
+        uses: jreleaser/release-action@f69e545b05f149483cecb2fb81866247992694b8 # 2.4.2
         with:
           setup-java: false
           version: 1.18.0
@@ -191,7 +191,7 @@ jobs:
       # Log failure:
       - name: JReleaser release output
         if: always()
-        uses: actions/upload-artifact@v4.6.2
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: jreleaser-release
           path: |
diff --git a/.github/workflows/smoke-tests.yml b/.github/workflows/smoke-tests.yml
@@ -41,15 +41,15 @@ jobs:
       - name: Verify action checksums
         uses: ./.github/actions/ghasum
 
-      - uses: actions/cache@v4.2.4
+      - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: /root/.jbang
           key: $-jbang-$
           restore-keys: |
               $-jbang-
 
       - name: Set up JDK 17
-        uses: actions/setup-java@v4.7.1
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           java-version: '17'
           distribution: 'temurin'
diff --git a/renovate.json b/renovate.json
@@ -1,6 +1,7 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
+    "helpers:pinGitHubActionDigests",
     "config:recommended"
   ],
   "gitIgnoredAuthors": [

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"$schema": "https://docs.renovatebot.com/renovate-schema.json",`
`3`	`3`	`"extends": [`
	`4`	`+ "helpers:pinGitHubActionDigests",`
`4`	`5`	`"config:recommended"`
`5`	`6`	`],`
`6`	`7`	`"gitIgnoredAuthors": [`