workflows: Pin specific SHAs

Fixes https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup

Signed-off-by: David Galloway <david.galloway@ibm.com>

diff --git a/.github/workflows/create-backport-trackers.yml b/.github/workflows/create-backport-trackers.yml
index 79b03f62c1c6febf6ea1269f5f565138ffc82b03..4706311c59b2e6c7fccfc79ef78995922c78a90c 100644 (file)
--- a/.github/workflows/create-backport-trackers.yml
+++ b/.github/workflows/create-backport-trackers.yml
@@ -37,13 +37,13 @@ jobs:
     runs-on: ubuntu-latest
     if: github.ref == 'refs/heads/main'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           sparse-checkout: | 
               src/script/backport-create-issue
               src/script/requirements.backport-create-issue.txt
           sparse-checkout-cone-mode: false
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: '>=3.6 <3.12'
           cache: 'pip'

diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 510a6bebd4e236c1ec1e64cdace93ca847c30e2a..1805ae365339ceae1beae4d511ae250ebf63d8f1 100644 (file)
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -9,7 +9,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
         with:
           # PAT for GitHub API authentication
           repo-token: "${{ secrets.GITHUB_TOKEN }}"