chore: pin action versions to latest release and fix semver comments (#127)

grahamalama · web-flow · commit 4abebd268353 · 2026-01-30T15:09:26.000-05:00
Ensures each `uses` block in a workflow or action in this repo:
- pins the sha of the latest release
  - except setup-helm, which is pinned to 4.0.0 in most orgs
- includes a comment of the full sha tag next to the SHA
diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml
@@ -76,7 +76,7 @@ jobs:
 
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
         with:
           ref: ${{ (github.event_name == 'pull_request' && github.event.pull_request.head.sha) || github.ref }}
           persist-credentials: false
diff --git a/.github/workflows/codeowners.yml b/.github/workflows/codeowners.yml
@@ -23,7 +23,7 @@ jobs:
       options: --cpus 1
     steps:
       - name: Clone Repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
diff --git a/.github/workflows/diff-rendered-charts.yml b/.github/workflows/diff-rendered-charts.yml
@@ -17,7 +17,7 @@ jobs:
       charts: ${{ steps.find_changed_charts.outputs.changed_charts }}
     steps:
       - name: checkout repository
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
         with:
          fetch-depth: '100'
          persist-credentials: true # We are using these credentials in later steps
@@ -37,14 +37,14 @@ jobs:
     strategy:
       matrix:
         chart: ${{ fromJSON(needs.get_changed_helm_charts.outputs.matrix_charts) }}
-        ref: 
+        ref:
           - name: base
             sha: ${{ github.base_ref }}
           - name: head
             sha: ${{ github.head_ref }}
     steps:
       - name: checkout repository
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
         with:
           persist-credentials: true # We are using these credentials in later steps
           ref: ${{ matrix.ref.sha }}
@@ -91,7 +91,7 @@ jobs:
           MATRIX_REF_NAME: ${{ matrix.ref.name }}
 
       - name: upload artifact
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f #v6.0.0
         with:
           name: "shared-${{ matrix.ref.name }}-${{ steps.render.outputs.sanitized_name }}"
           path: "shared"
@@ -106,7 +106,7 @@ jobs:
         uses: azure/setup-helm@29960d0f5f19214b88e1d9ba750a9914ab0f1a2f #v4.0.0
 
       - name: download artifacts
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 #v7.0.0
         with:
           pattern: shared-*
           merge-multiple: true
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -11,8 +11,8 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
         with:
           persist-credentials: false
-      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 #v6.1.0
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #v6.2.0
       - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd #v3.0.1
diff --git a/.github/workflows/psa-checker.yml b/.github/workflows/psa-checker.yml
@@ -30,7 +30,7 @@ jobs:
       charts: ${{ steps.find_changed_charts.outputs.changed_charts }}
     steps:
       - name: checkout repository
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
         with:
          fetch-depth: '100'
          persist-credentials: true # We are using these credentials in the next step
@@ -52,7 +52,7 @@ jobs:
     steps:
         # Download charts already rendered by validate action
       - name: download artifacts
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 #v7.0.0
         with:
           pattern: k8s-manifests-*
           merge-multiple: true
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -15,13 +15,13 @@ jobs:
 
     steps:
       - name: checkout
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
         with:
           fetch-depth: 0
           persist-credentials: false
 
       - name: setup node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 #v6.2.0
         with:
           node-version: "lts/*"
 
diff --git a/.github/workflows/validate-k8s-manifests.yml b/.github/workflows/validate-k8s-manifests.yml
@@ -31,7 +31,7 @@ jobs:
       charts: ${{ steps.find_changed_charts.outputs.changed_charts }}
     steps:
       - name: checkout repository
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
         with:
          fetch-depth: '100'
          persist-credentials: true # We are using these credentials in later steps
@@ -53,7 +53,7 @@ jobs:
         chart: ${{ fromJSON(needs.get_changed_helm_charts.outputs.matrix_charts) }}
     steps:
       - name: checkout repository
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
         with:
          persist-credentials: true # We are using these credentials in later steps
 
@@ -106,7 +106,7 @@ jobs:
           MATRIX_CHART: ${{ matrix.chart }}
 
       - name: upload artifact
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f #v6.0.0
         with:
           name: "k8s-manifests-${{ steps.render_head.outputs.sanitized_name }}"
           path: "shared"
@@ -135,7 +135,7 @@ jobs:
           sudo mv kubeconform /usr/local/bin/kubeconform
 
       - name: download artifacts
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 #v7.0.0
         with:
           pattern: k8s-manifests-*
           merge-multiple: true
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Clone Repository
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
         with:
           persist-credentials: false
 
diff --git a/docker-build/action.yml b/docker-build/action.yml
@@ -62,7 +62,7 @@ runs:
   steps:
     - name: Set up Docker
       if: ${{ inputs.enable_attestations == 'true' }}
-      uses: docker/setup-docker-action@e43656e248c0bd0647d3f5c195d116aacf6fcaf4 # v4
+      uses: docker/setup-docker-action@e43656e248c0bd0647d3f5c195d116aacf6fcaf4 #v4.7.0
       with:
         daemon-config: |
           {
@@ -140,7 +140,7 @@ runs:
 
     - name: Docker meta
       id: meta
-      uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 #v5.7.0
+      uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 #v5.10.0
       with:
         images: ${{ steps.set-images.outputs.images }}
         tags: ${{ steps.set-tags.outputs.tags }}
diff --git a/docker-push/action.yml b/docker-push/action.yml
@@ -30,14 +30,14 @@ runs:
   steps:
     - name: Authenticate to GCP
       id: gcp_auth
-      uses: google-github-actions/auth@3a3c4c57d294ef65efaaee4ff17b22fa88dd3c69 #v1
+      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 #v3
       with:
         workload_identity_provider: "projects/${{ inputs.workload_identity_pool_project_number }}/locations/global/workloadIdentityPools/github-actions/providers/github-actions"
         service_account: "${{ inputs.service_account_name }}@${{ inputs.project_id }}.iam.gserviceaccount.com"
         token_format: access_token
         create_credentials_file: false
     - name: Log in to GAR
-      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0
+      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 #v3.7.0
       with:
         registry: ${{ inputs.gar_location }}-docker.pkg.dev
         username: oauth2accesstoken
