chore(deps): pin trusted workflows based on HashiCorp TSCCR (#3770)

Bumping GitHub Actions version to latest TSCCR release.

* changes in `.github/workflows/build.yml`
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
- bump `actions/cache` from `v4.1.1` to `v4.1.2` ([release
notes](https://github.com/actions/cache/releases/tag/v4.1.2))
- bump `actions/cache` from `v4.1.1` to `v4.1.2` ([release
notes](https://github.com/actions/cache/releases/tag/v4.1.2))
* changes in `.github/workflows/docker.yml`
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
- bump `actions/cache` from `v4.1.1` to `v4.1.2` ([release
notes](https://github.com/actions/cache/releases/tag/v4.1.2))
* changes in `.github/workflows/examples.yml`
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
- bump `actions/cache` from `v4.1.1` to `v4.1.2` ([release
notes](https://github.com/actions/cache/releases/tag/v4.1.2))
- bump `actions/cache` from `v4.1.1` to `v4.1.2` ([release
notes](https://github.com/actions/cache/releases/tag/v4.1.2))
- bump `actions/cache` from `v4.1.1` to `v4.1.2` ([release
notes](https://github.com/actions/cache/releases/tag/v4.1.2))
* changes in `.github/workflows/integration.yml`
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
- bump `actions/cache` from `v4.1.1` to `v4.1.2` ([release
notes](https://github.com/actions/cache/releases/tag/v4.1.2))
- bump `actions/cache` from `v4.1.1` to `v4.1.2` ([release
notes](https://github.com/actions/cache/releases/tag/v4.1.2))
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
- bump `actions/cache/restore` from `v4.1.1` to `v4.1.2` ([release
notes](https://github.com/actions/cache/releases/tag/v4.1.2))
- bump `actions/cache` from `v4.1.1` to `v4.1.2` ([release
notes](https://github.com/actions/cache/releases/tag/v4.1.2))
- bump `actions/cache` from `v4.1.1` to `v4.1.2` ([release
notes](https://github.com/actions/cache/releases/tag/v4.1.2))
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
- bump `actions/cache/restore` from `v4.1.1` to `v4.1.2` ([release
notes](https://github.com/actions/cache/releases/tag/v4.1.2))
- bump `actions/cache` from `v4.1.1` to `v4.1.2` ([release
notes](https://github.com/actions/cache/releases/tag/v4.1.2))
- bump `actions/cache` from `v4.1.1` to `v4.1.2` ([release
notes](https://github.com/actions/cache/releases/tag/v4.1.2))
- bump `actions/setup-go` from `v5.0.2` to `v5.1.0` ([release
notes](https://github.com/actions/setup-go/releases/tag/v5.1.0))
* changes in `.github/workflows/linting.yml`
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
* changes in `.github/workflows/pr-copyright.yml`
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
* changes in `.github/workflows/pr-depcheck.yml`
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
* changes in `.github/workflows/provider-integration.yml`
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
- bump `actions/cache` from `v4.1.1` to `v4.1.2` ([release
notes](https://github.com/actions/cache/releases/tag/v4.1.2))
- bump `actions/cache` from `v4.1.1` to `v4.1.2` ([release
notes](https://github.com/actions/cache/releases/tag/v4.1.2))
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
- bump `actions/cache/restore` from `v4.1.1` to `v4.1.2` ([release
notes](https://github.com/actions/cache/releases/tag/v4.1.2))
- bump `actions/cache` from `v4.1.1` to `v4.1.2` ([release
notes](https://github.com/actions/cache/releases/tag/v4.1.2))
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
- bump `actions/setup-go` from `v5.0.2` to `v5.1.0` ([release
notes](https://github.com/actions/setup-go/releases/tag/v5.1.0))
- bump `actions/cache/restore` from `v4.1.1` to `v4.1.2` ([release
notes](https://github.com/actions/cache/releases/tag/v4.1.2))
- bump `actions/cache` from `v4.1.1` to `v4.1.2` ([release
notes](https://github.com/actions/cache/releases/tag/v4.1.2))
* changes in `.github/workflows/registry-docs-pr-based.yml`
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
- bump `actions/setup-node` from `v4.0.4` to `v4.1.0` ([release
notes](https://github.com/actions/setup-node/releases/tag/v4.1.0))
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
- bump `actions/setup-node` from `v4.0.4` to `v4.1.0` ([release
notes](https://github.com/actions/setup-node/releases/tag/v4.1.0))
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
* changes in `.github/workflows/release.yml`
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
* changes in `.github/workflows/release_next.yml`
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
* changes in `.github/workflows/unit.yml`
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
- bump `actions/cache` from `v4.1.1` to `v4.1.2` ([release
notes](https://github.com/actions/cache/releases/tag/v4.1.2))
- bump `actions/cache` from `v4.1.1` to `v4.1.2` ([release
notes](https://github.com/actions/cache/releases/tag/v4.1.2))
- bump `actions/cache` from `v4.1.1` to `v4.1.2` ([release
notes](https://github.com/actions/cache/releases/tag/v4.1.2))
* changes in `.github/workflows/website-release.yml`
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
* changes in `.github/workflows/yarn-upgrade.yml`
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
- bump `actions/cache` from `v4.1.1` to `v4.1.2` ([release
notes](https://github.com/actions/cache/releases/tag/v4.1.2))
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
- bump `actions/cache` from `v4.1.1` to `v4.1.2` ([release
notes](https://github.com/actions/cache/releases/tag/v4.1.2))
- bump `actions/checkout` from `v4.2.1` to `v4.2.2` ([release
notes](https://github.com/actions/checkout/releases/tag/v4.2.2))
- bump `actions/cache` from `v4.1.1` to `v4.1.2` ([release
notes](https://github.com/actions/cache/releases/tag/v4.1.2))

_This PR was auto-generated by
[security-tsccr/actions/runs/11773085209](https://github.com/hashicorp/security-tsccr/actions/runs/11773085209)_

_You can alter the configuration of this automation via the hcl config
in
[security-tsccr/automation](https://github.com/hashicorp/security-tsccr/tree/main/automation)_

_This PR can be regenerated by dispatching the GitHub workflow [Pin
Action
Refs](https://github.com/hashicorp/security-tsccr/actions/workflows/pin-workflows.yml).
Please reach out to #team-prodsec if you have any questions._
[](hashicorp/security-tsccr#193)

Co-authored-by: hashicorp-tsccr[bot] <hashicorp-tsccr[bot]@users.noreply.github.com>

Author: hashicorp-tsccr[bot]

.github/workflows/build.yml

@@ -22,7 +22,7 @@ jobs:
     timeout-minutes: 60
 
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: "Add Git safe.directory" # Go 1.18+ started embedding repo info in the build and e.g. building @cdktf/hcl2json fails without this
         run: git config --global --add safe.directory /__w/terraform-cdk/terraform-cdk
       - name: ensure correct user
@@ -34,14 +34,14 @@ jobs:
           echo "yarn=$(yarn cache dir)" >> $GITHUB_OUTPUT
           mkdir -p /usr/local/share/.cache/go
           echo "go=/usr/local/share/.cache/go" >> $GITHUB_OUTPUT
-      - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+      - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         with:
           path: ${{ steps.global-cache-dir-path.outputs.yarn }}
           key: yarn-${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}-build
           restore-keys: |
             yarn-${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}-
             yarn-${{ runner.os }}-
-      - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+      - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         with:
           path: ${{ steps.global-cache-dir-path.outputs.go }}
           key: go-${{ runner.os }}-${{ hashFiles('**/go.sum') }}-build

.github/workflows/docker.yml

@@ -16,11 +16,11 @@ jobs:
     if: github.repository == 'hashicorp/terraform-cdk'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
       - name: Cache Docker layers
-        uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-buildx-${{ hashFiles('/Dockerfile', '.terraform.versions.json') }}

.github/workflows/examples.yml

@@ -24,7 +24,7 @@ jobs:
       examples: ${{ steps.set-examples.outputs.examples }}
     steps:
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - id: set-examples
         run: |
           tfDefault=$(cat .terraform.versions.json | jq -r '.default')
@@ -45,7 +45,7 @@ jobs:
       CHECKPOINT_DISABLE: "1"
     timeout-minutes: 60
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: "Add Git safe.directory" # Go 1.18+ started embedding repo info in the build and e.g. building @cdktf/hcl2json fails without this
         run: git config --global --add safe.directory /__w/terraform-cdk/terraform-cdk
       - name: ensure correct user
@@ -59,20 +59,20 @@ jobs:
           echo "terraform=/usr/local/share/.cache/terraform" >> $GITHUB_OUTPUT
           mkdir -p /usr/local/share/.cache/go
           echo "go=/usr/local/share/.cache/go" >> $GITHUB_OUTPUT
-      - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+      - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         with:
           path: ${{ steps.global-cache-dir-path.outputs.yarn }}
           key: yarn-${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}-examples
           restore-keys: |
             yarn-${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}-
             yarn-${{ runner.os }}-
-      - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+      - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         with:
           path: ${{ steps.global-cache-dir-path.outputs.terraform }}
           key: terraform-${{ runner.os }}-${{ matrix.terraform }}-examples
           restore-keys: |
             terraform-${{ runner.os }}-${{ matrix.terraform }}
-      - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+      - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         with:
           path: ${{ steps.global-cache-dir-path.outputs.go }}
           key: go-${{ runner.os }}-${{ hashFiles('**/go.sum') }}-examples

.github/workflows/integration.yml

@@ -28,7 +28,7 @@ jobs:
     timeout-minutes: 60
 
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: "Add Git safe.directory" # Go 1.18+ started embedding repo info in the build and e.g. building @cdktf/hcl2json fails without this
         run: git config --global --add safe.directory /__w/terraform-cdk/terraform-cdk
       - name: ensure correct user
@@ -40,14 +40,14 @@ jobs:
           echo "yarn=$(yarn cache dir)" >> $GITHUB_OUTPUT
           mkdir -p /usr/local/share/.cache/go
           echo "go=/usr/local/share/.cache/go" >> $GITHUB_OUTPUT
-      - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+      - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         with:
           path: ${{ steps.global-cache-dir-path.outputs.yarn }}
           key: yarn-${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}-integration
           restore-keys: |
             yarn-${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}-
             yarn-${{ runner.os }}-
-      - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+      - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         with:
           path: ${{ steps.global-cache-dir-path.outputs.go }}
           key: go-${{ runner.os }}-${{ hashFiles('**/go.sum') }}-integration
@@ -103,7 +103,7 @@ jobs:
     timeout-minutes: 60
 
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: ensure correct user
         run: chown -R root /__w/terraform-cdk
       # Setup caches for yarn, terraform, and go
@@ -116,21 +116,21 @@ jobs:
           mkdir -p /usr/local/share/.cache/go
           echo "go=/usr/local/share/.cache/go" >> $GITHUB_OUTPUT
       # only restore as an individual cache as per matrix explodes our cache usage
-      - uses: actions/cache/restore@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+      - uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         with:
           path: ${{ steps.global-cache-dir-path.outputs.yarn }}
           key: yarn-${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}-integration
           restore-keys: |
             yarn-${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}-
             yarn-${{ runner.os }}-
-      - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+      - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         with:
           path: ${{ steps.global-cache-dir-path.outputs.terraform }}
           # put matrix before integration to not restore caches from other sibling matrix jobs
           key: terraform-${{ runner.os }}-${{ matrix.terraform }}-matrix-integration-${{ matrix.target }}
           restore-keys: |
             terraform-${{ runner.os }}-${{ matrix.terraform }}-
-      - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+      - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         with:
           path: ${{ steps.global-cache-dir-path.outputs.go }}
           # put matrix before integration to not restore caches from other sibling matrix jobs
@@ -176,7 +176,7 @@ jobs:
     timeout-minutes: 60
 
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       # Setup caches for yarn, terraform, and go
       - name: Get cache directory paths
         id: global-cache-dir-path
@@ -188,21 +188,21 @@ jobs:
           mkdir -p /usr/local/share/.cache/go
           echo "go=/usr/local/share/.cache/go" >> $GITHUB_OUTPUT
       # only restore as an individual cache as per matrix explodes our cache usage
-      - uses: actions/cache/restore@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+      - uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         with:
           path: ${{ steps.global-cache-dir-path.outputs.yarn }}
           key: yarn-${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}-integration
           restore-keys: |
             yarn-${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}-
             yarn-${{ runner.os }}-
-      - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+      - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         with:
           path: ${{ steps.global-cache-dir-path.outputs.terraform }}
           # put matrix before integration to not restore caches from other sibling matrix jobs
           key: terraform-${{ runner.os }}-${{ matrix.terraform }}-matrix-integration-${{ matrix.target }}
           restore-keys: |
             terraform-${{ runner.os }}-${{ matrix.terraform }}-
-      - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+      - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         with:
           path: ${{ steps.global-cache-dir-path.outputs.go }}
           # put matrix before integration to not restore caches from other sibling matrix jobs
@@ -219,7 +219,7 @@ jobs:
       - name: Install pipenv
         run: pip install pipenv
       - name: Install Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version: 1.18.x
           cache: false # This is disabled because we don't have a go.sum file and setup-go expects it to use caching. Thus, caching is always broken anyways

.github/workflows/linting.yml

@@ -20,7 +20,7 @@ jobs:
     container:
       image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: installing dependencies
         run: |
           yarn install --frozen-lockfile
@@ -33,7 +33,7 @@ jobs:
     container:
       image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: installing dependencies
         run: |
           yarn install --frozen-lockfile

.github/workflows/pr-copyright.yml

@@ -18,7 +18,7 @@ jobs:
       contents: write
     steps:
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}

.github/workflows/pr-depcheck.yml

@@ -28,7 +28,7 @@ jobs:
           ]
 
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: "Run Depcheck"
         run: |
           npx lerna exec --scope '${{ matrix.package }}' -- npx -y depcheck --ignores="@types/*,jsii,jsii-pacmak,jsii-docgen,yoga-layout-prebuilt,eslint,jest,tsc-files,typescript,esbuild,esbuild-jest,graphology-types"

.github/workflows/provider-integration.yml

@@ -33,7 +33,7 @@ jobs:
     timeout-minutes: 60
 
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: "Add Git safe.directory" # Go 1.18+ started embedding repo info in the build and e.g. building @cdktf/hcl2json fails without this
         run: git config --global --add safe.directory /__w/terraform-cdk/terraform-cdk
       - name: ensure correct user
@@ -45,14 +45,14 @@ jobs:
           echo "yarn=$(yarn cache dir)" >> $GITHUB_OUTPUT
           mkdir -p /usr/local/share/.cache/go
           echo "go=/usr/local/share/.cache/go" >> $GITHUB_OUTPUT
-      - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+      - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         with:
           path: ${{ steps.global-cache-dir-path.outputs.yarn }}
           key: yarn-${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}-provider-integration
           restore-keys: |
             yarn-${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}-
             yarn-${{ runner.os }}-
-      - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+      - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         with:
           path: ${{ steps.global-cache-dir-path.outputs.go }}
           key: go-${{ runner.os }}-${{ hashFiles('**/go.sum') }}-provider-integration
@@ -96,7 +96,7 @@ jobs:
     timeout-minutes: 60
 
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Download dist
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
@@ -111,14 +111,14 @@ jobs:
           mkdir -p /usr/local/share/.cache/terraform
           echo "terraform=/usr/local/share/.cache/terraform" >> $GITHUB_OUTPUT
       # Only restoring yarn caches as the dependencies are not indiviual to each matrix job
-      - uses: actions/cache/restore@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+      - uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         with:
           path: ${{ steps.global-cache-dir-path.outputs.yarn }}
           key: yarn-${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}-provider-integration
           restore-keys: |
             yarn-${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}-
             yarn-${{ runner.os }}-
-      - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+      - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         with:
           path: ${{ steps.global-cache-dir-path.outputs.terraform }}
           # put matrix before provider-integration to not restore caches from other sibling matrix jobs
@@ -147,7 +147,7 @@ jobs:
     timeout-minutes: 60
 
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: HashiCorp - Setup Terraform
         uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1
         with:
@@ -156,7 +156,7 @@ jobs:
       - name: Install pipenv
         run: pip install pipenv
       - name: Install Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version: 1.16.x
       - name: Download dist
@@ -172,14 +172,14 @@ jobs:
           mkdir -p /usr/local/share/.cache/terraform
           echo "terraform=/usr/local/share/.cache/terraform" >> $GITHUB_OUTPUT
       # Only restoring yarn caches to save available cache storage size
-      - uses: actions/cache/restore@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+      - uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         with:
           path: ${{ steps.global-cache-dir-path.outputs.yarn }}
           key: yarn-${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}-provider-integration
           restore-keys: |
             yarn-${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}-
             yarn-${{ runner.os }}-
-      - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+      - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         with:
           path: ${{ steps.global-cache-dir-path.outputs.terraform }}
           # put matrix before provider-integration to not restore caches from other sibling matrix jobs

.github/workflows/registry-docs-pr-based.yml

@@ -69,7 +69,7 @@ jobs:
   cdktfDocsCleanupBranches:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: ${{ inputs.repository }}
           ref: ${{ inputs.branch }}
@@ -88,7 +88,7 @@ jobs:
     needs:
       - cdktfDocsCleanupBranches
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: ${{ inputs.repository }}
           ref: ${{ inputs.branch }}
@@ -110,14 +110,14 @@ jobs:
       CHECKPOINT_DISABLE: "1"
     timeout-minutes: 120
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: ${{ inputs.repository }}
           ref: ${{ inputs.branch }}
           token: ${{ secrets.GH_PR_TOKEN }}
 
       - name: Setup Node.js
-        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
           node-version: "20.x"
 
@@ -150,7 +150,7 @@ jobs:
       CHECKPOINT_DISABLE: "1"
     timeout-minutes: 360
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: ${{ inputs.repository }}
           ref: ${{ inputs.branch }}
@@ -162,7 +162,7 @@ jobs:
           git config --global --add safe.directory $(pwd)
 
       - name: Setup Node.js
-        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
           node-version: "20.x"
 
@@ -200,7 +200,7 @@ jobs:
       - cdktfDocsConvert
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: ${{ inputs.repository }}
           fetch-depth: 0 # complete checkout

.github/workflows/release.yml

@@ -26,7 +26,7 @@ jobs:
     env:
       CHECKPOINT_DISABLE: "1"
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0 # gives sentry access to all previous commits
       - name: "Add Git safe.directory" # Go 1.18+ started embedding repo info in the build and e.g. building @cdktf/hcl2json fails without this
@@ -155,7 +155,7 @@ jobs:
     container:
       image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: installing dependencies
         run: |
           yarn install --frozen-lockfile
@@ -320,7 +320,7 @@ jobs:
     container:
       image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: version
         id: get_version
         run: |