ci: harden workflow action pins

Author: ckrack

.github/commitsar.yml .commitsar.yaml.github/commitsar.yml renamed to .commitsar.yaml

@@ -24,10 +24,12 @@ jobs:
         composer-deps: [lowest, stable]
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0
         with:
           coverage: none
           php-version: ${{ matrix.php-version }}

.github/workflows/ci.yml

@@ -3,22 +3,25 @@ name: "conventions"
 on:
   pull_request: ~
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   lint:
     name: Validate PR and commits
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Validate commits
-        uses: docker://aevea/commitsar
-        env:
-          COMMITSAR_CONFIG_PATH: .github/commitsar.yml
+        uses: aevea/commitsar@909c3ab676c9af63cb84f2e38f395c7e89829b04 # v1.0.3
 
       - name: Validate pull request title
-        uses: amannn/action-semantic-pull-request@v6
+        uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pr-conventions.yml

@@ -12,15 +12,15 @@ jobs:
   content-label:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/labeler@v6
+      - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
         with:
           sync-labels: true
 
   conventional-label:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: bcoe/conventional-release-labels@v1
+      - uses: bcoe/conventional-release-labels@886f696738527c7be444262c327c89436dfb95a8 # v1.3.1
         with:
           type_labels: |
             {

.github/workflows/pr-labeler.yml

@@ -13,7 +13,7 @@ jobs:
   release-please:
     runs-on: ubuntu-latest
     steps:
-      - uses: googleapis/release-please-action@v4
+      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
         with:
           release-type: php
           token: ${{ secrets.GITHUB_TOKEN }}