chore(ci): Harden GitHub Actions

.github/workflows/codeql.yml

@@ -31,22 +31,22 @@ jobs:
 
     steps:
       - name: 'Harden Runner'
-        uses: 'step-security/harden-runner@v2'
+        uses: 'step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594' # v2.16.0
         with:
           egress-policy: 'audit'
 
       - name: 'Checkout repository'
-        uses: 'actions/checkout@v6'
+        uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # v6.0.2
 
       - name: 'Initialize CodeQL'
-        uses: 'github/codeql-action/init@v4'
+        uses: 'github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13' # v4.35.1
         with:
           languages: '${{ matrix.language }}'
 
       - name: 'Autobuild'
-        uses: 'github/codeql-action/autobuild@v4'
+        uses: 'github/codeql-action/autobuild@c10b8064de6f491fea524254123dbe5e09572f13' # v4.35.1
 
       - name: 'Perform CodeQL Analysis'
-        uses: 'github/codeql-action/analyze@v4'
+        uses: 'github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13' # v4.35.1
         with:
           category: '/language:${{ matrix.language }}'

.github/workflows/dependency-review.yml

@@ -11,12 +11,12 @@ jobs:
     runs-on: 'ubuntu-latest'
     steps:
       - name: 'Harden Runner'
-        uses: 'step-security/harden-runner@v2'
+        uses: 'step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594' # v2.16.0
         with:
           egress-policy: 'audit'
 
       - name: 'Checkout repository'
-        uses: 'actions/checkout@v6'
+        uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # v6.0.2
 
       - name: 'Dependency Review'
-        uses: 'actions/dependency-review-action@v4'
+        uses: 'actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48' # v4.9.0

.github/workflows/docs.yml

@@ -18,11 +18,16 @@ jobs:
   build:
     runs-on: 'ubuntu-latest'
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: 'Checkout repository'
-        uses: 'actions/checkout@v6'
+        uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # v6.0.2
 
       - name: 'Set up Python'
-        uses: 'actions/setup-python@v6'
+        uses: 'actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405' # v6.2.0
         with:
           python-version: '3.12'
 
@@ -36,7 +41,7 @@ jobs:
         run: 'mkdocs build --strict'
 
       - name: 'Upload Pages artifact'
-        uses: 'actions/upload-pages-artifact@v4'
+        uses: 'actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b' # v4.0.0
         with:
           path: 'site'
 
@@ -47,6 +52,11 @@ jobs:
       name: 'github-pages'
       url: '${{ steps.deployment.outputs.page_url }}'
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: 'Deploy to GitHub Pages'
         id: 'deployment'
-        uses: 'actions/deploy-pages@v5'
+        uses: 'actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128' # v5.0.0

.github/workflows/lf-build.yml

@@ -26,11 +26,16 @@ jobs:
 
     steps:
 
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: 'git clone https://github.com/Linuxfabrik/lfops'
-        uses: 'actions/checkout@v6'
+        uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # v6.0.2
 
       - name: 'Log in to GitHub Container Registry'
-        uses: 'redhat-actions/podman-login@v1'
+        uses: 'redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603' # v1.7
         with:
           registry: 'ghcr.io'
           username: '${{ github.actor }}'
@@ -99,7 +104,7 @@ jobs:
 
       - name: 'Push to GitHub Container Registry'
         id: 'push-to-ghcr'
-        uses: 'redhat-actions/push-to-registry@v2'
+        uses: 'redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c' # v2.8
         with:
           registry: 'ghcr.io'
           image: '${{ env.GITHUB_REPOSITORY_OWNER_LOWERCASE }}/lfops_ee'

.github/workflows/lf-release.yml

@@ -15,8 +15,13 @@ jobs:
 
     steps:
 
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: 'Create GitHub Release for ${{ github.ref_name }}'
-        uses: 'softprops/action-gh-release@v2'
+        uses: 'softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe' # v2.6.1
         with:
           tag_name: '${{ github.ref_name }}'
           body: |

.github/workflows/pre-commit-autoupdate.yml

@@ -13,11 +13,16 @@ jobs:
   update:
     runs-on: 'ubuntu-latest'
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: 'Checkout repository'
-        uses: 'actions/checkout@v6'
+        uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # v6.0.2
 
       - name: 'Set up Python'
-        uses: 'actions/setup-python@v6'
+        uses: 'actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405' # v6.2.0
         with:
           python-version: '3.12'
 
@@ -28,7 +33,7 @@ jobs:
         run: 'pre-commit autoupdate'
 
       - name: 'Create Pull Request'
-        uses: 'peter-evans/create-pull-request@v8'
+        uses: 'peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0' # v8.1.0
         with:
           commit-message: 'chore: update pre-commit hooks'
           title: 'chore: update pre-commit hooks'

.github/workflows/scorecard.yml

@@ -17,30 +17,30 @@ jobs:
 
     steps:
       - name: 'Harden Runner'
-        uses: 'step-security/harden-runner@v2'
+        uses: 'step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594' # v2.16.0
         with:
           egress-policy: 'audit'
 
       - name: 'Checkout code'
-        uses: 'actions/checkout@v6'
+        uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # v6.0.2
         with:
           persist-credentials: false
 
       - name: 'Run analysis'
-        uses: 'ossf/scorecard-action@v2.4.3'
+        uses: 'ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a' # v2.4.3
         with:
           results_file: 'results.sarif'
           results_format: 'sarif'
           publish_results: true
 
       - name: 'Upload artifact'
-        uses: 'actions/upload-artifact@v7'
+        uses: 'actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f' # v7.0.0
         with:
           name: 'SARIF file'
           path: 'results.sarif'
           retention-days: 5
 
       - name: 'Upload to code-scanning'
-        uses: 'github/codeql-action/upload-sarif@v4'
+        uses: 'github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13' # v4.35.1
         with:
           sarif_file: 'results.sarif'