chore(deps): pin github actions by hash (#12958)

datosh · web-flow · commit 9a033a0b9219 · 2025-08-18T08:24:23.000-06:00
Signed-off-by: Fabian Kammel &lt;fabian@kammel.dev&gt;
diff --git a/.github/workflows/close-stale.yml b/.github/workflows/close-stale.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Close stale issues and PRs
-        uses: actions/stale@v9
+        uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
         with:
           # Disable automatic stale marking - only close manually labeled items
           days-before-stale: -1
diff --git a/.github/workflows/plantuml.yml b/.github/workflows/plantuml.yml
diff --git a/.github/workflows/release-x-manual-docker-containers.yml b/.github/workflows/release-x-manual-docker-containers.yml
@@ -86,7 +86,7 @@ jobs:
 
         # upload the digest file as artifact
       - name: Upload digest
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: digests-${{ matrix.docker-image}}-${{ matrix.os }}-${{ env.PLATFORM }}
           path: ${{ runner.temp }}/digests/*
diff --git a/.github/workflows/release-x-manual-merge-container-digests.yml b/.github/workflows/release-x-manual-merge-container-digests.yml
@@ -39,7 +39,7 @@ jobs:
 
       # only download digests for this image and this os
     - name: Download digests
-      uses: actions/download-artifact@v5
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
       with:
         path: ${{ runner.temp }}/digests
         pattern: digests-${{ matrix.docker-image}}-${{ matrix.os }}-*
@@ -52,7 +52,7 @@ jobs:
         password: ${{ secrets.DOCKERHUB_TOKEN }}
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
       # the alpine and debian images are tagged with the os name
     - name: Create OS specific manifest list and push
diff --git a/.github/workflows/release-x-manual-tag-as-latest.yml b/.github/workflows/release-x-manual-tag-as-latest.yml
@@ -43,7 +43,7 @@ jobs:
         password: ${{ secrets.DOCKERHUB_TOKEN }}
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
       # debian images are the default / official ones, and these were already tagged, so these get the latest tag
     - name: Tag Debian with latest tags
diff --git a/.github/workflows/release_drafter_valentijn.yml b/.github/workflows/release_drafter_valentijn.yml
@@ -20,7 +20,7 @@ jobs:
   update_release_draft:
     runs-on: ubuntu-latest
     steps:
-      - uses: valentijnscholten/release-drafter@master  # TODO: not maintained anymore - missing part is maybe already solved in the upstream
+      - uses: valentijnscholten/release-drafter@f587de96a420b4b7f767d7eb12817926f18cad69 # master  # TODO: not maintained anymore - missing part is maybe already solved in the upstream
         with:
           version: ${{github.event.inputs.version}}  
           previous-version: ${{github.event.inputs.previous-version}} 
