ci: pin third-party actions to SHAs (upgrade to latest releases) (#4)

bsgrigorov · web-flow · commit 8f82ae3abb8c · 2026-03-25T01:29:00.000-06:00
- kics-github-action v2.1.20
- tj-actions/changed-files v47.0.5
- docker/login-action v4.0.0
- helm/chart-releaser-action v1.7.0

Made-with: Cursor
diff --git a/.github/workflows/kics.yml b/.github/workflows/kics.yml
@@ -50,7 +50,7 @@ jobs:
         run: mkdir -p results-dir
 
       - name: Run KICS scan
-        uses: Checkmarx/kics-github-action@v2.1.19
+        uses: Checkmarx/kics-github-action@05aa5eb70eede1355220f4ca5238d96b397e30a6 # v2.1.20
         with:
           path: "."
           output_path: "results-dir"
diff --git a/.github/workflows/test-and-release.yml b/.github/workflows/test-and-release.yml
@@ -35,7 +35,7 @@ jobs:
       - name: Get changed files
         id: changes
         if: ${{ github.event_name != 'workflow_dispatch' }}
-        uses: tj-actions/changed-files@v47
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
 
       - name: Detect changed charts
         id: matrix
@@ -124,9 +124,9 @@ jobs:
     steps:
       - uses: actions/checkout@v6
 
-      - uses: azure/setup-helm@v4.3.1
-      - uses: mikefarah/yq@v4.52.4
-      - uses: azure/setup-kubectl@v4
+      - uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+      - uses: mikefarah/yq@5a7e72a743649b1b3a47d1a1d8214f3453173c51 # v4.52.4
+      - uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
 
       - name: Update Helm repositories
         run: |
@@ -190,8 +190,8 @@ jobs:
     steps:
       - uses: actions/checkout@v6
 
-      - uses: azure/setup-helm@v4.3.1
-      - uses: mikefarah/yq@v4.52.4
+      - uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+      - uses: mikefarah/yq@5a7e72a743649b1b3a47d1a1d8214f3453173c51 # v4.52.4
 
       - name: Get chart version
         id: vars
@@ -208,7 +208,7 @@ jobs:
           path: charts/${{ matrix.chart }}/
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -247,8 +247,8 @@ jobs:
         with:
           fetch-depth: 0
 
-      - uses: azure/setup-helm@v4.3.1
-      - uses: mikefarah/yq@v4.52.4
+      - uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+      - uses: mikefarah/yq@5a7e72a743649b1b3a47d1a1d8214f3453173c51 # v4.52.4
 
       - name: Get repository info
         run: |
@@ -297,7 +297,7 @@ jobs:
           echo "✅ Cleanup complete"
 
       - name: Run chart-releaser
-        uses: helm/chart-releaser-action@v1.7.0
+        uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f # v1.7.0
         env:
           CR_TOKEN: ${{ github.token }}
         with:
