chore: update CI workflows to pin pip packages and go packages (#6498)

* Pin pip dependencies by hash in docs workflow

Generate a locked requirements.txt with full SHA256 hashes for all
dependencies (direct and transitive) using pip-compile --generate-hashes.
Add --require-hashes to pip install commands in the workflow.

Keep the original version-pinned requirements as requirements.in for
future updates via pip-compile.

* Verify golangci-lint install script integrity with SHA256

Download the install script to a temp file and verify its SHA256
checksum before executing, replacing the curl-pipe-to-sh pattern.
This satisfies the OpenSSF Scorecard pinned-dependencies check.

* Pin helm-docs to v1.14.2 in helm-tools.sh

Replace @latest with a specific version to satisfy the OpenSSF
Scorecard pinned-dependencies check. Go modules with full semantic
versions are treated as pinned since the Go tool verifies downloaded
content against the checksum database.

Add a renovate comment for automated version updates.

Author: Raffo

.github/workflows/docs.yaml

@@ -35,7 +35,9 @@ jobs:
           cache: "pip"
           cache-dependency-path: "./docs/scripts/requirements.txt"
 
-      - run: pip install -r docs/scripts/requirements.txt
+      # To update dependencies, edit docs/scripts/requirements.in and run:
+      #   pip-compile --generate-hashes --strip-extras --output-file=docs/scripts/requirements.txt docs/scripts/requirements.in
+      - run: pip install --require-hashes -r docs/scripts/requirements.txt
 
       - name: lint and build docs
         run: mkdocs build --strict
@@ -58,7 +60,7 @@ jobs:
           cache: "pip"
           cache-dependency-path: "./docs/scripts/requirements.txt"
 
-      - run: pip install -r docs/scripts/requirements.txt
+      - run: pip install --require-hashes -r docs/scripts/requirements.txt
 
       - name: Configure Git user
         run: |

docs/scripts/requirements.in

@@ -0,0 +1,8 @@
+mkdocs-git-revision-date-localized-plugin == 1.5.2
+mkdocs == 1.6.1
+mkdocs-macros-plugin == 1.5.0
+mkdocs-material == 9.7.6
+mkdocs-literate-nav == 0.6.3
+mkdocs-same-dir == 0.1.5
+mdx-truly-sane-lists == 1.3
+mike == 2.2.0