@@ -27,16 +27,16 @@ jobs:
2727 runs-on : ubuntu-latest
2828
2929 steps :
30- - uses : actions/checkout@v4
30+ - uses : actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
3131 with :
3232 persist-credentials : false
3333
34- - uses : actions/setup-go@v6
34+ - uses : actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
3535 with :
3636 go-version : ' ${{ env.GO_VERSION }}'
3737
3838 - name : Restore cache
39- uses : actions/cache/restore@v4
39+ uses : actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
4040 with :
4141 path : |
4242 ~/.cache/golangci-lint
5050 run : make lint
5151
5252 - name : Save cache
53- uses : actions/cache/save@v4
53+ uses : actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
5454 with :
5555 path : |
5656 ~/.cache/golangci-lint
@@ -62,11 +62,11 @@ jobs:
6262 runs-on : ubuntu-latest
6363
6464 steps :
65- - uses : actions/checkout@v4
65+ - uses : actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
6666 with :
6767 persist-credentials : false
6868
69- - uses : actions/setup-go@v5
69+ - uses : actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
7070 with :
7171 go-version : ' ${{ env.GO_VERSION }}'
7272
7878 runs-on : ubuntu-latest
7979
8080 steps :
81- - uses : actions/checkout@v4
81+ - uses : actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
8282 with :
8383 persist-credentials : false
8484
9494 runs-on : ubuntu-latest
9595
9696 steps :
97- - uses : actions/checkout@v4
97+ - uses : actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
9898 with :
9999 persist-credentials : false
100100
@@ -111,7 +111,7 @@ jobs:
111111 run : ' shasum -a 256 image.tar | tee image.tar.sha256'
112112
113113 - name : Store image
114- uses : actions/upload-artifact@v4
114+ uses : actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
115115 with :
116116 name : tested-image
117117 path : |
@@ -154,19 +154,19 @@ jobs:
154154 group : integration-${{ matrix.kubernetes }}
155155
156156 steps :
157- - uses : actions/checkout@v4
157+ - uses : actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
158158 with :
159159 persist-credentials : false
160160
161161 - name : Load image
162- uses : actions/download-artifact@v4
162+ uses : actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
163163 with :
164164 name : tested-image
165165
166166 - name : Validate hash
167167 run : ' shasum --check image.tar.sha256'
168168
169- - uses : actions/setup-go@v5
169+ - uses : actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
170170 with :
171171 go-version : ' ${{ env.GO_VERSION }}'
172172
@@ -198,23 +198,19 @@ jobs:
198198 name : Validate GitHub Workflows
199199 runs-on : ubuntu-latest
200200
201+ # More Information:
202+ # https://github.com/zizmorcore/zizmor-action?tab=readme-ov-file#usage-with-github-advanced-security-recommended
203+ #
204+ # Use `uvx zizmor .github/` for a local preview using the latest zizmor version.
205+
201206 permissions :
202207 contents : read
208+ security-events : write
203209
204210 steps :
205- - uses : actions/checkout@v4
211+ - uses : actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
206212 with :
207- fetch-depth : 0
208213 persist-credentials : false
209214
210- - name : Set up Python
211- uses : actions/setup-python@v5
212- with :
213- python-version : ' 3.13'
214-
215- - name : Check Workflows
216- run : |
217- python -m pip install zizmor --root-user-action=ignore
218- zizmor .github/workflows/*
219- env :
220- GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
215+ - name : Run zizmor 🌈
216+ uses : zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0
0 commit comments