From d063617027d95e30f9c33d33250cd24d8b05d4a2 Mon Sep 17 00:00:00 2001 From: Benjamin Lindner Date: Tue, 20 Jan 2026 00:11:34 +0100 Subject: [PATCH 1/2] fix: GH Code Scan: Reference setup-go actions by hash --- .github/actions/setup-tools/action.yml | 2 +- .github/workflows/create-release-go-module.yml | 2 +- .github/workflows/lint-golangci.yml | 2 +- .github/workflows/test-unit.yml | 2 +- .github/workflows/verify-unit-test-coverage.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/actions/setup-tools/action.yml b/.github/actions/setup-tools/action.yml index e69347e4ae..2794e59134 100644 --- a/.github/actions/setup-tools/action.yml +++ b/.github/actions/setup-tools/action.yml @@ -39,7 +39,7 @@ runs: - uses: ./lifecycle-manager/.github/actions/install-k3d with: k3d_version: ${{ inputs.k3d_version }} - - uses: actions/setup-go@v5 + - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 with: go-version-file: ${{ inputs.go-version-file }} cache-dependency-path: ${{ inputs.cache-dependency-path }} diff --git a/.github/workflows/create-release-go-module.yml b/.github/workflows/create-release-go-module.yml index 121dc841b3..a8a066989a 100644 --- a/.github/workflows/create-release-go-module.yml +++ b/.github/workflows/create-release-go-module.yml @@ -34,7 +34,7 @@ jobs: path: lifecycle-manager - name: Setup Go - uses: actions/setup-go@v6 + uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 with: go-version-file: ./lifecycle-manager/${{ inputs.go_version_file }} cache-dependency-path: ./lifecycle-manager/${{ inputs.go_sum_file }} diff --git a/.github/workflows/lint-golangci.yml b/.github/workflows/lint-golangci.yml index ae35af53a7..6981ebb585 100644 --- a/.github/workflows/lint-golangci.yml +++ b/.github/workflows/lint-golangci.yml @@ -18,7 +18,7 @@ jobs: uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: path: lifecycle-manager - - uses: actions/setup-go@v5 + - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 with: go-version-file: './lifecycle-manager/go.mod' cache: false diff --git a/.github/workflows/test-unit.yml b/.github/workflows/test-unit.yml index 488ab97a71..a5e47558f9 100644 --- a/.github/workflows/test-unit.yml +++ b/.github/workflows/test-unit.yml @@ -16,7 +16,7 @@ jobs: - name: Checkout lifecycle-manager uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 with: go-version-file: 'go.mod' - name: Run 'make test' diff --git a/.github/workflows/verify-unit-test-coverage.yml b/.github/workflows/verify-unit-test-coverage.yml index 3a3db7633b..a6d274b11d 100644 --- a/.github/workflows/verify-unit-test-coverage.yml +++ b/.github/workflows/verify-unit-test-coverage.yml @@ -29,7 +29,7 @@ jobs: with: path: codebase - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 with: go-version-file: ${{ github.workspace }}/codebase/go.mod - name: Run the quality gate verification From bb4600ff06d142cd1fa016831e5fd5e31ee049fd Mon Sep 17 00:00:00 2001 From: Benjamin Lindner Date: Tue, 20 Jan 2026 00:14:53 +0100 Subject: [PATCH 2/2] fix: GH Code Scan: Reference github-script actions by hash --- .github/workflows/check-pipeline-changes.yml | 8 ++++---- .github/workflows/check-test-changes.yml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/check-pipeline-changes.yml b/.github/workflows/check-pipeline-changes.yml index 1f508c09e6..c3591fde4b 100644 --- a/.github/workflows/check-pipeline-changes.yml +++ b/.github/workflows/check-pipeline-changes.yml @@ -12,7 +12,7 @@ jobs: steps: - name: Get list of changed files id: changed-files - uses: actions/github-script@v7 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const { data: files } = await github.rest.pulls.listFiles({ @@ -49,7 +49,7 @@ jobs: - name: Check if 'pipeline-changed' Label Exists id: check-pipeline-label - uses: actions/github-script@v7 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const labelName = 'pipeline-changed'; @@ -63,7 +63,7 @@ jobs: - name: Add PR Comment & Label if Pipeline Changes Detected if: steps.eval-changes.outputs.pipeline_changed == 'true' && steps.check-pipeline-label.outputs.result != 'true' - uses: actions/github-script@v7 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | await github.rest.issues.createComment({ @@ -81,7 +81,7 @@ jobs: - name: Remove 'pipeline-changed' Label if No Changes Detected if: steps.eval-changes.outputs.pipeline_changed == 'false' - uses: actions/github-script@v7 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const labelName = 'pipeline-changed'; diff --git a/.github/workflows/check-test-changes.yml b/.github/workflows/check-test-changes.yml index 959ccbdcad..437b858c9a 100644 --- a/.github/workflows/check-test-changes.yml +++ b/.github/workflows/check-test-changes.yml @@ -16,7 +16,7 @@ jobs: - name: Get list of changed files id: changed-files - uses: actions/github-script@v7 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const { data: pullRequest } = await github.rest.pulls.get({