From ec05686523cc8ef1344c6d575576ff69eb3b50e6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc=20Sch=C3=A4fer?= <git@marcschaeferger.de>
Date: Tue, 21 Oct 2025 00:21:28 +0200
Subject: [PATCH] ci(actions): pin action versions to commit SHAs for security

- Pin actions/checkout to SHA for v5.0.0
- Pin docker/setup-qemu-action to SHA for v3.6.0
- Pin docker/setup-buildx-action to SHA for v3.11.1
- Pin docker/login-action to SHA for v3.6.0
- Pin actions/setup-go to SHA for v6.0.0
- Pin actions/upload-artifact to SHA for v4.6.2
---
 .github/workflows/cicd.yml | 14 +++++++-------
 .github/workflows/test.yml |  4 ++--
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
index 68ad5bb..d81d8c1 100644
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -11,20 +11,20 @@ on:
 jobs:
     release:
         name: Build and Release
-        runs-on: amd64-runner
+        runs-on: ubuntu-latest
 
         steps:
             - name: Checkout code
-              uses: actions/checkout@v5
+              uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
             - name: Set up QEMU
-              uses: docker/setup-qemu-action@v3
+              uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
 
             - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@v3
+              uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
             - name: Log in to Docker Hub
-              uses: docker/login-action@v3
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
               with:
                   username: ${{ secrets.DOCKER_HUB_USERNAME }}
                   password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
@@ -34,7 +34,7 @@ jobs:
               run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
 
             - name: Install Go
-              uses: actions/setup-go@v6
+              uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
               with:
                   go-version: 1.25
 
@@ -58,7 +58,7 @@ jobs:
                   make go-build-release
 
             - name: Upload artifacts from /bin
-              uses: actions/upload-artifact@v4
+              uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
               with:
                   name: binaries
                   path: bin/
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 643628b..40759fa 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -14,10 +14,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
           go-version: 1.25