From 38ddd835df3c96d2e7d6272d4398a6d0a68e8c9c Mon Sep 17 00:00:00 2001
From: Vincent Mercier <vmercier@gmail.com>
Date: Mon, 11 May 2026 17:19:42 +0200
Subject: [PATCH] chore(ci): Pin commit hash  instead of major version

All actions in this workflow use mutable major-version tags (e.g., actions/checkout@v4, goreleaser/goreleaser-action@v5, aws-actions/configure-aws-credentials@v4) instead of pinned commit SHAs. This workflow has contents: write and id-token: write permissions and produces official releases. If any upstream action maintainer's account is compromised, or a tag is force-pushed with malicious code, the attacker could: (1) steal the OIDC token to assume the AWS IAM role arn:aws:iam::202662887508:role/ecr-prometheus-rds-exporter, (2) steal GITHUB_TOKEN with write access to create/modify releases, (3) inject malicious code into release artifacts (binaries, Docker images, Helm charts) affecting all downstream consumers.

Signed-off-by: Vincent Mercier <vmercier@gmail.com>
---
 .github/workflows/linter.yaml  |  8 ++++----
 .github/workflows/release.yaml | 16 +++++++--------
 .github/workflows/test.yaml    | 36 +++++++++++++++++-----------------
 3 files changed, 30 insertions(+), 30 deletions(-)

diff --git a/.github/workflows/linter.yaml b/.github/workflows/linter.yaml
index 9c70024..3a1b9de 100644
--- a/.github/workflows/linter.yaml
+++ b/.github/workflows/linter.yaml
@@ -13,13 +13,13 @@ jobs:
     name: golangci
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-go@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: '1.26'
           cache: false
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v9
+        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
         with:
           version: v2.11.4
 
@@ -27,7 +27,7 @@ jobs:
     name: yamllint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Lint YAML files
         run: yamllint .  # YAML lint is already installed in ubuntu-latest
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 3b7a8fc..231a028 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -15,12 +15,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
         with:
           aws-region: us-east-1  # ECR Public can only be logged into from the us-east-1 region
           role-to-assume: arn:aws:iam::202662887508:role/ecr-postgresql-partition-manager
@@ -28,20 +28,20 @@ jobs:
 
       - name: Login to Amazon ECR
         id: login-ecr-public
-        uses: aws-actions/amazon-ecr-login@v2
+        uses: aws-actions/amazon-ecr-login@fa648b43de3d4d023bcb3f89ed6940096949c419 # v2.1.5
         with:
           registry-type: public
 
       - run: git fetch --force --tags
 
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: stable
 
       - name: Set up QEMU for ARM64 build
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
 
-      - uses: goreleaser/goreleaser-action@v7
+      - uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7.2.1
         with:
           distribution: goreleaser
           version: latest
@@ -50,14 +50,14 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Configure AWS credentials for helm chart
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
         with:
           aws-region: us-east-1  # ECR Public can only be logged into from the us-east-1 region
           role-to-assume: arn:aws:iam::202662887508:role/ecr-postgresql-partition-manager-chart
           role-session-name: githubActions
 
       - name: Login to Amazon ECR for helm chart
-        uses: aws-actions/amazon-ecr-login@v2
+        uses: aws-actions/amazon-ecr-login@fa648b43de3d4d023bcb3f89ed6940096949c419 # v2.1.5
         with:
           registry-type: public
 
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 2902e9b..d7c978b 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -16,8 +16,8 @@ jobs:
       contents: read
       pull-requests: write
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-go@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: '1.26'
       - name: Install dependencies
@@ -29,7 +29,7 @@ jobs:
         run: make test
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: binary
           path: postgresql-partition-manager
@@ -69,10 +69,10 @@ jobs:
           - 5432:5432
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup Bats and bats libs
-        uses: bats-core/bats-action@4.0.0
+        uses: bats-core/bats-action@77d6fb60505b4d0d1d73e48bd035b55074bbfb43 # 4.0.0
         with:
           support-path: ${{ github.workspace }}/test/bats/lib/bats-support
           assert-path: ${{ github.workspace }}/test/bats/lib/bats-assert
@@ -80,7 +80,7 @@ jobs:
           detik-install: false  # Unused
 
       - name: Download artifact
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: binary
 
@@ -97,7 +97,7 @@ jobs:
     env:
       HELM_UNITTEST_VERSION: v0.3.5
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install helm-unittest
         run: helm plugin install --version $HELM_UNITTEST_VERSION https://github.com/helm-unittest/helm-unittest.git
       - name: Run Helm test
@@ -109,7 +109,7 @@ jobs:
     env:
       KUBECONFORM_VERSION: 0.6.2
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install kubeconform
         run: |
           curl -sSLo /tmp/kubeconform.tar.gz "https://github.com/yannh/kubeconform/releases/download/v${KUBECONFORM_VERSION}/kubeconform-linux-amd64.tar.gz" \
@@ -121,15 +121,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: stable
       - name: Set up QEMU for ARM64 build
-        uses: docker/setup-qemu-action@v4
-      - uses: goreleaser/goreleaser-action@v7
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+      - uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7.2.1
         with:
           distribution: goreleaser
           version: latest
@@ -166,8 +166,8 @@ jobs:
         ports:
           - 5432:5432
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-go@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: '1.26'
       - name: Install dependencies
@@ -177,7 +177,7 @@ jobs:
         run: make build
 
       - name: Setup Bats and bats libs
-        uses: bats-core/bats-action@4.0.0
+        uses: bats-core/bats-action@77d6fb60505b4d0d1d73e48bd035b55074bbfb43 # 4.0.0
         with:
           support-path: ${{ github.workspace }}/test/bats/lib/bats-support
           assert-path: ${{ github.workspace }}/test/bats/lib/bats-assert
@@ -188,7 +188,7 @@ jobs:
         run: make coverage
 
       - name: Code Coverage Report
-        uses: irongut/CodeCoverageSummary@v1.3.0
+        uses: irongut/CodeCoverageSummary@51cc3a756ddcd398d447c044c02cb6aa83fdae95 # v1.3.0
         with:
           filename: coverage.xml
           badge: true
@@ -199,10 +199,10 @@ jobs:
           indicators: true
           output: both
           thresholds: '60 80'
-      - uses: jwalton/gh-find-current-pr@v1
+      - uses: jwalton/gh-find-current-pr@f3d61b485d2801773f7a07b2aaa3306bd8f8e653 # v1.3.5
         id: finder
       - name: Add Coverage PR Comment
-        uses: marocchino/sticky-pull-request-comment@v3
+        uses: marocchino/sticky-pull-request-comment@d4d6b0936434b21bc8345ad45a440c5f7d2c40ff # v3.0.3
         with:
           number: ${{ steps.finder.outputs.pr }}
           path: code-coverage-results.md