fix: pin 11 unpinned action(s) (#6042)

dagecko · web-flow · commit 828d488e470f · 2026-03-26T14:01:38.000-07:00
Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard). Changes: .github/workflows/checks.yml | 14 +++++++------- .github/workflows/codespell.yml | 2 +- .github/workflows/promote.yml | 2 +- .github/workflows/release.yml | 4 ++-- 4 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
@@ -21,10 +21,10 @@ jobs:
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
-      - uses: golangci/golangci-lint-action@v9
+      - uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9
         with:
           version: v2.11.4
-      - uses: megalinter/megalinter/flavors/go@v8.4.2
+      - uses: megalinter/megalinter/flavors/go@ec124f7998718d79379a3c5b39f5359952baf21d # v8.4.2
         env:
           DEFAULT_BRANCH: master
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -40,14 +40,14 @@ jobs:
         with:
           fetch-depth: 2
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
       - name: Run Tests
         run: go run gotest.tools/gotestsum@latest --junitfile unit-tests.xml --format pkgname -- -v -cover -coverpkg=./... -coverprofile=coverage.txt -covermode=atomic -timeout 20m ./...
       - name: Test Summary
-        uses: test-summary/action@v2.4
+        uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4
         with:
           paths: 'unit-tests.xml'
         if: always()
@@ -56,7 +56,7 @@ jobs:
       - name: Run act from cli without docker support
         run: go run -tags WITHOUT_DOCKER main.go -P ubuntu-latest=-self-hosted -C ./pkg/runner/testdata/ -W ./local-action-js/push.yml
       - name: Upload Codecov report
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5
         with:
           files: coverage.txt
           fail_ci_if_error: true # optional (default = false)
@@ -81,7 +81,7 @@ jobs:
         run: go run gotest.tools/gotestsum@latest --junitfile unit-tests.xml --format pkgname -- -v -cover -coverpkg=./... -coverprofile=coverage.txt -covermode=atomic -timeout 20m -run ^TestRunEventHostEnvironment$ ./...
         shell: bash
       - name: Test Summary
-        uses: test-summary/action@v2.4
+        uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4
         with:
           paths: 'unit-tests.xml'
         if: always()
@@ -95,7 +95,7 @@ jobs:
         with:
           go-version-file: go.mod
       - name: GoReleaser
-        uses: goreleaser/goreleaser-action@v7
+        uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7
         with:
           version: '~> v2'
           args: release --snapshot --clean
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
@@ -20,4 +20,4 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
       - name: Codespell
-        uses: codespell-project/actions-codespell@v2
+        uses: codespell-project/actions-codespell@406322ec52dd7b488e48c1c4b82e2a8b3a1bf630 # v2
diff --git a/.github/workflows/promote.yml b/.github/workflows/promote.yml
@@ -19,7 +19,7 @@ jobs:
           fetch-depth: 0
           ref: master
           token: ${{ secrets.PROMOTE_TOKEN }}
-      - uses: fregante/setup-git-user@v2.0.2
+      - uses: fregante/setup-git-user@024bc0b8e177d7e77203b48dab6fb45666854b35 # v2.0.2
         if: steps.checkout.conclusion != 'skipped'
       - uses: actions/setup-go@v6
         if: steps.checkout.conclusion != 'skipped'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -21,14 +21,14 @@ jobs:
         with:
           go-version-file: go.mod
       - name: GoReleaser
-        uses: goreleaser/goreleaser-action@v7
+        uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7
         with:
           version: '~> v2'
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Winget
-        uses: vedantmgoyal2009/winget-releaser@v2
+        uses: vedantmgoyal2009/winget-releaser@4ffc7888bffd451b357355dc214d43bb9f23917e # v2
         with:
           identifier: nektos.act
           installers-regex: '_Windows_\w+\.zip$'
