Harden GitHub Actions workflows (#92)

- Upgrade actions/checkout to v6 and disable persisted credentials where safe.
- Pin external actions, reusable workflow dependencies, tool versions, and container images to immutable refs.
- Replace runtime latest-tag resolution in release workflows with fixed commit or tag pins.

Author: cbruno10

.github/workflows/assign-issue-to-project.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Add issue to project
-        uses: actions/add-to-project@v1.0.2
+        uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
         with:
           project-url: https://github.com/orgs/turbot/projects/34
           github-token: ${{ secrets.GH_PROJECT_PAT }}

.github/workflows/golangci-lint.yml

@@ -15,9 +15,13 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
       - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version: '1.26.*'
+
       - name: golangci-lint
         uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
         with:

.github/workflows/registry-publish-ghcr-azuread-large-runners.yml

@@ -36,8 +36,9 @@ jobs:
           echo "PIPELING_NAME=${{ inputs.pipeling }}" >> $GITHUB_ENV
 
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           path: ${{ inputs.pipeling }}-plugin
           fetch-depth: 0
 
@@ -97,15 +98,15 @@ jobs:
 
       # ---- Build: Linux (clean first) ----
       - name: Run GoReleaser (Linux)
-        uses: goreleaser/goreleaser-action@v5 # Latest version
+        uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5
         with:
           workdir: ${{ inputs.pipeling }}-plugin
           version: latest
           args: release --clean --skip=publish --timeout=${{ inputs.releaseTimeout }} -f .goreleaser.linux.yml
 
       # ---- Build: Darwin (no clean; keep Linux artifacts) ----
       - name: Run GoReleaser (Darwin)
-        uses: goreleaser/goreleaser-action@v5 # Latest version
+        uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5
         with:
           workdir: ${{ inputs.pipeling }}-plugin
           version: latest

.github/workflows/registry-publish-ghcr-large-runners.yml

@@ -24,7 +24,6 @@ env:
   CR_PREFIX: turbot/${{ inputs.pipeling }}/plugins
   CONFIG_SCHEMA_VERSION: "2020-11-18"
   ORAS_VERSION: 1.3.0
-  GOLANG_CROSS_VERSION: v1.26
 
 jobs:
   build-deploy:
@@ -40,8 +39,9 @@ jobs:
           echo "PIPELING_NAME=${{ inputs.pipeling }}" >> $GITHUB_ENV
 
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           path: ${{ inputs.pipeling }}-plugin
           fetch-depth: 0
 
@@ -114,7 +114,7 @@ jobs:
 
       - name: Run GoReleaser (steampipe)
         if: ${{ inputs.useCgo == false || inputs.useCgo == 'false' }}
-        uses: goreleaser/goreleaser-action@v5 # Latest version
+        uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5
         with:
           workdir: ${{ inputs.pipeling }}-plugin
           version: latest
@@ -132,13 +132,14 @@ jobs:
         if: ${{ inputs.useCgo == true || inputs.useCgo == 'true' }}
         run: |-
           cd ${{ inputs.pipeling }}-plugin
+          # goreleaser-cross v1.26
           docker run \
             --rm \
             -e CGO_ENABLED=1 \
             -v /var/run/docker.sock:/var/run/docker.sock \
             -v $PWD:/go/src/plugin \
             -w /go/src/plugin \
-            ghcr.io/goreleaser/goreleaser-cross:${GOLANG_CROSS_VERSION} \
+            ghcr.io/goreleaser/goreleaser-cross@sha256:e76ed3b998f05e4599445e674b6190d037e5550ebd60894b8ab9a152e665976c \
             release --clean --skip=publish --skip=validate --timeout=${{ inputs.releaseTimeout }}
 
       - name: List Build Artifacts
@@ -211,7 +212,7 @@ jobs:
       # Upload build artifacts for inspection
       - name: Upload build artifacts
         if: always() # Run even if previous steps fail
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: plugin-archives-${{ env.VERSION }}
           path: |

.github/workflows/registry-publish-ghcr.yml

@@ -24,7 +24,6 @@ env:
   CR_PREFIX: turbot/${{ inputs.pipeling }}/plugins
   CONFIG_SCHEMA_VERSION: "2020-11-18"
   ORAS_VERSION: 1.3.0
-  GOLANG_CROSS_VERSION: v1.26
 
 jobs:
   build-deploy:
@@ -39,8 +38,9 @@ jobs:
           echo "PIPELING_NAME=${{ inputs.pipeling }}" >> $GITHUB_ENV
 
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           path: ${{ inputs.pipeling }}-plugin
           fetch-depth: 0
 
@@ -97,7 +97,7 @@ jobs:
 
       - name: Run GoReleaser (steampipe)
         if: ${{ inputs.useCgo == false || inputs.useCgo == 'false' }}
-        uses: goreleaser/goreleaser-action@v5 # Latest version
+        uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5
         with:
           workdir: ${{ inputs.pipeling }}-plugin
           version: latest
@@ -107,13 +107,14 @@ jobs:
         if: ${{ inputs.useCgo == true || inputs.useCgo == 'true' }}
         run: |-
           cd ${{ inputs.pipeling }}-plugin
+          # goreleaser-cross v1.26
           docker run \
             --rm \
             -e CGO_ENABLED=1 \
             -v /var/run/docker.sock:/var/run/docker.sock \
             -v $PWD:/go/src/plugin \
             -w /go/src/plugin \
-            ghcr.io/goreleaser/goreleaser-cross:${GOLANG_CROSS_VERSION} \
+            ghcr.io/goreleaser/goreleaser-cross@sha256:e76ed3b998f05e4599445e674b6190d037e5550ebd60894b8ab9a152e665976c \
             release --clean --skip=publish --skip=validate --timeout=${{ inputs.releaseTimeout }}
 
       - name: List Build Artifacts