ci: updated all workflows to be pinned to commit hashes ahead of renovate connection (#1989)

* ci: updated all workflows to be pineed to commit hashes ahead of renovate connection * ci: update doc links regex * ci: bump version for codeql-action * ci: bump version for action/cache to v4.2.0 * ci: adding package-manager-cache: false to the node v5 setup steps * ci: remove the --include to test precedence as it was overriding * chore: added missing @ from commit hash * ci: updates to shas to bring up to latest, also update to renovate config to account for major versions * chore: update renovate global minimum age settings * updated node sha * Apply suggestion from @M0NsTeRRR Co-authored-by: Ludovic Ortega <ludovic.ortega@adminafk.fr> * Apply suggestion from @M0NsTeRRR Co-authored-by: Ludovic Ortega <ludovic.ortega@adminafk.fr> * Apply suggestion from @M0NsTeRRR Co-authored-by: Ludovic Ortega <ludovic.ortega@adminafk.fr> * Apply suggestion from @M0NsTeRRR * Apply suggestion from @M0NsTeRRR --------- Co-authored-by: Ludovic Ortega <ludovic.ortega@adminafk.fr>
2025-12-24 02:39:18 -05:00 · 2025-10-07 19:55:56 +01:00
parent 3ff1c061b8
commit 2e6a19d3b5
20 changed files with 101 additions and 96 deletions
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -4,13 +4,12 @@
    "config:recommended",
    ":dependencyDashboard",
    ":timezone(UTC)",
-    "docker:enableMajor",
-    "docker:pinDigests",
    "group:nextjsMonorepo",
    "group:reactMonorepo",
    "group:typescript-eslintMonorepo",
    "group:tailwindcssMonorepo",
    "github>seerr-team/seerr//.github/renovate/actions.json5",
+    "github>seerr-team/seerr//.github/renovate/docker.json5",
    "github>seerr-team/seerr//.github/renovate/groups.json5",
    "github>seerr-team/seerr//.github/renovate/helm.json5",
    "github>seerr-team/seerr//.github/renovate/labels.json5",
@@ -20,5 +19,6 @@
  "dependencyDashboardTitle": "Renovate Dashboard 🤖",
  "suppressNotifications": ["prEditedNotification", "prIgnoreNotification"],
  "rebaseWhen": "conflicted",
-  "labels": ["dependencies"]
+  "labels": ["dependencies"],
+  "minimumReleaseAge": "7 days"
 }
--- a/.github/renovate/actions.json5
+++ b/.github/renovate/actions.json5
@@ -8,7 +8,6 @@
    {
      matchManagers: ['github-actions'],
      groupName: 'GitHub Actions',
-      minimumReleaseAge: '7 days',
    },
  ],
 }
--- a/.github/renovate/docker.json5
+++ b/.github/renovate/docker.json5
@@ -0,0 +1,8 @@
+{
+  $schema: 'https://docs.renovatebot.com/renovate-schema.json',
+
+  extends: [
+    'docker:enableMajor',
+    'docker:pinDigests'
+  ],
+}
--- a/.github/renovate/groups.json5
+++ b/.github/renovate/groups.json5
@@ -7,7 +7,6 @@
      matchPackageNames: ['node'],
      matchManagers: ['dockerfile', 'npm'],
      groupName: 'Node.js',
-      minimumReleaseAge: '7 days',
      commitMessageTopic: 'Node.js',
    },

@@ -15,7 +14,6 @@
    {
      matchPackageNames: ['pg', 'sqlite3', 'typeorm'],
      groupName: 'Database',
-      minimumReleaseAge: '7 days',
    },
  ],
 }
--- a/.github/renovate/helm.json5
+++ b/.github/renovate/helm.json5
@@ -5,6 +5,7 @@
    {
      matchManagers: ['helm-values'],
      matchFileNames: ['charts/*/values.yaml'],
+      minimumReleaseAge: '0'
    },
  ],

--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -26,12 +26,12 @@ jobs:
    container: node:22-alpine
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

      - name: Pnpm Setup
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0

      - name: Get pnpm store directory
        shell: sh
@@ -39,7 +39,7 @@ jobs:
          echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV

      - name: Setup pnpm cache
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        with:
          path: ${{ env.STORE_PATH }}
          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
@@ -75,7 +75,7 @@ jobs:
    runs-on: ${{ matrix.runner }}
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -84,10 +84,10 @@ jobs:
        run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT"

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Warm cache (no push) — ${{ matrix.platform }}
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          file: ./Dockerfile
@@ -111,7 +111,7 @@ jobs:
      id-token: write
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -120,16 +120,16 @@ jobs:
        run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT"

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Log in to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_TOKEN }}

      - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@@ -137,7 +137,7 @@ jobs:

      - name: Extract metadata
        id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
        with:
          images: |
            ${{ github.repository }}
@@ -149,7 +149,7 @@ jobs:
            org.opencontainers.image.created=${{ steps.ts.outputs.TIMESTAMP }}

      - name: Build & Push (multi-arch, single tag)
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          file: ./Dockerfile
@@ -184,7 +184,7 @@ jobs:
          fi

      - name: Post Status to Discord
-        uses: sarisia/actions-status-discord@v1
+        uses: sarisia/actions-status-discord@58667542682a27f270460405363e3a982f57a7ee # v1.0.0
        with:
          webhook: ${{ secrets.DISCORD_WEBHOOK }}
          status: ${{ steps.status.outputs.status }}
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -37,20 +37,20 @@ jobs:
        language: [actions, javascript]
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
        with:
          languages: ${{ matrix.language }}
          queries: +security-and-quality

      - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
        with:
          category: '/language:${{ matrix.language }}'
--- a/.github/workflows/conflict_labeler.yml
+++ b/.github/workflows/conflict_labeler.yml
@@ -27,7 +27,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Apply label
-        uses: eps1lon/actions-label-merge-conflict@v3
+        uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3
        with:
          dirtyLabel: 'merge conflict'
          commentOnDirty: 'This pull request has merge conflicts. Please resolve the conflicts so the PR can be successfully reviewed and merged.'
--- a/.github/workflows/cypress.yml
+++ b/.github/workflows/cypress.yml
@@ -37,23 +37,24 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

      - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
        with:
          node-version-file: package.json
+          package-manager-cache: false

      - name: Pnpm Setup
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0

      - name: Install dependencies
        run: pnpm install --frozen-lockfile

      - name: Setup cypress cache
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        with:
          path: ~/.cache/Cypress
          key: ${{ runner.os }}-cypress-store-${{ hashFiles('**/pnpm-lock.yaml') }}
@@ -66,7 +67,7 @@ jobs:
        run: pnpm exec cypress install

      - name: Cypress run
-        uses: cypress-io/github-action@v6
+        uses: cypress-io/github-action@b8ba51a856ba5f4c15cf39007636d4ab04f23e3c # v6.10.2
        with:
          install: false
          build: pnpm cypress:build
--- a/.github/workflows/docs-deploy.yml
+++ b/.github/workflows/docs-deploy.yml
@@ -22,18 +22,19 @@ jobs:
    name: Build Docusaurus
    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
        with:
          node-version-file: package.json
+          package-manager-cache: false

      - name: Pnpm Setup
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0

      - name: Get pnpm store directory
        shell: sh
@@ -41,7 +42,7 @@ jobs:
          echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV

      - name: Setup pnpm cache
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        with:
          path: ${{ env.STORE_PATH }}
          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
@@ -58,7 +59,7 @@ jobs:
        run: pnpm build

      - name: Upload Build Artifact
-        uses: actions/upload-pages-artifact@v4
+        uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b6 # v4.0.0
        with:
          path: gen-docs/build

@@ -76,4 +77,4 @@ jobs:
    steps:
      - name: Deploy to GitHub Pages
        id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
--- a/.github/workflows/docs-link-check.yml
+++ b/.github/workflows/docs-link-check.yml
@@ -36,27 +36,22 @@ jobs:

        steps:
            - name: Checkout
-              uses: actions/checkout@v4
+              uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
              with:
                  fetch-depth: 0
                  persist-credentials: false

            - name: Run Lychee link checker
-              uses: lycheeverse/lychee-action@v2
+              uses: lycheeverse/lychee-action@885c65f3dc543b57c898c8099f4e08c8afd178a2 # v2.6.1
              with:
                  fail: false
                  args: >-
                      --verbose
                      --no-progress
                      --accept 200..204,300..304,307,308,404,429,999
-                      --include '^(http|https)://.*'
                      --exclude '^file://'
-                      --exclude '^https?://localhost'
-                      --exclude '^https?://127\.0\.0\.1'
-                      --exclude '^https?://0\.0\.0\.0'
-                      --exclude '^https?://\[\:\:1\]'
-                      --exclude '^https?://\[\:\:\]'
-                      --exclude '^https?://support.discord.com'
+                      --exclude '^https?://(localhost|127\.0\.0\.1|0\.0\.0\.0|\[::1\]|\[::\])'
+                      --exclude '^https?://support\.discord\.com'
                      './docs/**/*.md'
                      './docs/**/*.mdx'
                      './gen-docs/**/*.md'
@@ -65,7 +60,7 @@ jobs:
                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

            - name: Upload Lychee report
-              uses: actions/upload-artifact@v4
+              uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
              with:
                  name: lychee-report
                  path: |
--- a/.github/workflows/helm.yml
+++ b/.github/workflows/helm.yml
@@ -28,19 +28,19 @@ jobs:
      has_artifacts: ${{ steps.check-artifacts.outputs.has_artifacts }}
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Install helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1

      - name: Install Oras
-        uses: oras-project/setup-oras@v1
+        uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1.2.4

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -76,7 +76,7 @@ jobs:
          fi

      - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
        if: steps.check-artifacts.outputs.has_artifacts == 'true'
        with:
          name: artifacts
@@ -93,28 +93,28 @@ jobs:
    if: needs.package-helm-chart.outputs.has_artifacts == 'true'
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Install helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1

      - name: Install Oras
-        uses: oras-project/setup-oras@v1
+        uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1.2.4

      - name: Install Cosign
-        uses: sigstore/cosign-installer@v3
+        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0

      - name: Downloads artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
        with:
          name: artifacts
          path: .cr-release-packages/

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
--- a/.github/workflows/lint-helm-charts.yml
+++ b/.github/workflows/lint-helm-charts.yml
@@ -28,19 +28,19 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Set up Helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1

      - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0

      - name: Ensure documentation is updated
-        uses: docker://jnorwood/helm-docs:v1.14.2
+        uses: docker://jnorwood/helm-docs@sha256:7e562b49ab6b1dbc50c3da8f2dd6ffa8a5c6bba327b1c6335cc15ce29267979c # v1.14.2

      - name: Run chart-testing (list-changed)
        id: list-changed
--- a/.github/workflows/preview.yml
+++ b/.github/workflows/preview.yml
@@ -30,7 +30,7 @@ jobs:
    runs-on: ${{ matrix.runner }}
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -39,7 +39,7 @@ jobs:
        run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT"

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Derive preview version from tag
        id: ver
@@ -52,7 +52,7 @@ jobs:
          echo "Building preview version: ${VER}"

      - name: Warm cache (no push) — ${{ matrix.platform }}
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          file: ./Dockerfile
@@ -76,7 +76,7 @@ jobs:
      id-token: write
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -85,16 +85,16 @@ jobs:
        run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT"

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Log in to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_TOKEN }}

      - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@@ -112,7 +112,7 @@ jobs:

      - name: Extract metadata
        id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
        with:
          images: |
            ${{ github.repository }}
@@ -124,7 +124,7 @@ jobs:
            org.opencontainers.image.created=${{ steps.ts.outputs.TIMESTAMP }}

      - name: Build & Push (multi-arch, single tag)
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          file: ./Dockerfile
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -23,18 +23,19 @@ jobs:
      new_release_version: ${{ steps.release.outputs.new_release_version }}
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
        with:
          node-version-file: package.json
+          package-manager-cache: false

      - name: Pnpm Setup
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0

      - name: Get pnpm store directory
        shell: sh
@@ -42,7 +43,7 @@ jobs:
          echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV

      - name: Setup pnpm cache
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        with:
          path: ${{ env.STORE_PATH }}
          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
@@ -54,7 +55,7 @@ jobs:

      - name: Release
        id: release
-        uses: cycjimmy/semantic-release-action@v5
+        uses: cycjimmy/semantic-release-action@9cc899c47e6841430bbaedb43de1560a568dfd16 # v5.0.0
        with:
          extra_plugins: |
            @semantic-release/git@10
@@ -79,7 +80,7 @@ jobs:
    runs-on: ${{ matrix.runner }}
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -88,10 +89,10 @@ jobs:
        run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT"

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Warm cache (no push) — ${{ matrix.platform }}
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          file: ./Dockerfile
@@ -116,7 +117,7 @@ jobs:
      packages: write
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

@@ -125,16 +126,16 @@ jobs:
        run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT"

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Log in to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_TOKEN }}

      - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@@ -142,7 +143,7 @@ jobs:

      - name: Extract metadata
        id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
        with:
          images: |
            ${{ github.repository }}
@@ -153,7 +154,7 @@ jobs:
            org.opencontainers.image.created=${{ steps.ts.outputs.TIMESTAMP }}

      - name: Build & Push (multi-arch, single tag)
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          file: ./Dockerfile
@@ -191,7 +192,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Get Build Job Status
-        uses: technote-space/workflow-conclusion-action@v3
+        uses: technote-space/workflow-conclusion-action@45ce8e0eb155657ab8ccf346ade734257fd196a5 # v3.0.3

      - name: Combine Job Status
        id: status
@@ -204,7 +205,7 @@ jobs:
          fi

      - name: Post Status to Discord
-        uses: sarisia/actions-status-discord@v1
+        uses: sarisia/actions-status-discord@58667542682a27f270460405363e3a982f57a7ee # v1.0.0
        with:
          webhook: ${{ secrets.DISCORD_WEBHOOK }}
          status: ${{ steps.status.outputs.status }}
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -21,7 +21,7 @@ jobs:
      issues: write
      pull-requests: write
    steps:
-      - uses: actions/stale@v10.1.0
+      - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0
        with:
          any-of-labels: "pending author's response"
          exempt-issue-labels: 'confirmed'
--- a/.github/workflows/test-docs-deploy.yml
+++ b/.github/workflows/test-docs-deploy.yml
@@ -24,18 +24,19 @@ jobs:
    permissions:
      contents: read
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
        with:
          node-version-file: package.json
+          package-manager-cache: false

      - name: Pnpm Setup
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0

      - name: Get pnpm store directory
        shell: sh
@@ -43,7 +44,7 @@ jobs:
          echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV

      - name: Setup pnpm cache
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        with:
          path: ${{ env.STORE_PATH }}
          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
--- a/.github/workflows/trivy-scan.yml
+++ b/.github/workflows/trivy-scan.yml
@@ -34,13 +34,13 @@ jobs:

        steps:
            - name: Checkout
-              uses: actions/checkout@v4
+              uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
              with:
                  fetch-depth: 0
                  persist-credentials: false

            - name: Cache Trivy DB
-              uses: actions/cache@v4
+              uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
              with:
                  path: .trivycache
                  key: trivy-${{ runner.os }}-${{ hashFiles('**/Dockerfile') }}
@@ -56,6 +56,6 @@ jobs:
                  ignore-unfixed: true

            - name: Upload SARIF to code scanning
-              uses: github/codeql-action/upload-sarif@v3
+              uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
              with:
                  sarif_file: trivy.sarif