Security: pin GitHub Actions to SHA hashes (#197)

jorgebraz · Codacy Security Bot · web-flow · commit df55ffaac1ca · 2026-04-08T12:09:25.000+01:00
Replaces mutable tag/branch references with immutable SHA hashes
to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026).

Actions left as tags: 0

Co-authored-by: Codacy Security Bot &lt;security-bot@codacy.com&gt;
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -8,15 +8,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0  # Needed for git history
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4
       - name: Build CLI for all platforms
         run: make build-all
       - name: Upload CLI binaries
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: cli-binaries
           path: |
@@ -28,9 +28,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4
       - name: Install dependencies from .codacy/codacy.yaml
         run: |
           make build
@@ -51,14 +51,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4
       - name: "Git Version"
         id: generate-version
-        uses: codacy/git-version@2.8.0
+        uses: codacy/git-version@80c816f11db8dea5e3a81025f598193015b51832 # 2.8.0
       - name: "Tag version"
         run: |
           git tag ${{ steps.generate-version.outputs.version }}
@@ -67,7 +67,7 @@ jobs:
         id: go-version
         run: echo "VERSION=$(go version | cut -d' ' -f3)" >> $GITHUB_OUTPUT
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v5
+        uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5
         with:
           distribution: goreleaser
           version: "~> v2"
diff --git a/.github/workflows/it-test.yml b/.github/workflows/it-test.yml
@@ -11,15 +11,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0  # Needed for git history
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4
       - name: Build CLI for all platforms
         run: make build-all
       - name: Upload CLI binaries
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: cli-binaries
           path: |
@@ -36,12 +36,12 @@ jobs:
       fail-fast: false  
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0  # Needed for git history
 
       - name: Download CLI binaries
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           name: cli-binaries
           path: .
