flanksource · yashmehrotra · Apr 21, 2026 · Apr 20, 2026 · Apr 20, 2026 · coderabbitai
diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
@@ -29,7 +29,7 @@ jobs:
           fetch-depth: 0
 
       - name: Post "benchmark running" comment
-        uses: actions/github-script@v9
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
         with:
           script: |
             const marker = '<!-- benchstat-report -->';
@@ -70,7 +70,7 @@ jobs:
 
       - name: Install benchstat
         run: |
-          GOBIN="$PWD/.bin" go install golang.org/x/perf/cmd/benchstat@latest
+          GOBIN="$PWD/.bin" go install golang.org/x/perf/cmd/benchstat@v0.0.0-20260409210113-8e83ce0f7b1c
           echo "$PWD/.bin" >> "$GITHUB_PATH"
 
       - name: Prepare base worktree
@@ -138,7 +138,7 @@ jobs:
           retention-days: 14
 
       - name: Post report to PR
-        uses: actions/github-script@v9
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
         with:
           script: |
             const fs = require('fs');

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -5,12 +5,15 @@ on:
       - main
 
 permissions:
-  contents: write
-  id-token: write
+  contents: read
 
 jobs:
   semantic-release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
     outputs:
       release-version: ${{ steps.semantic.outputs.release-version }}
       new-release-published: ${{ steps.semantic.outputs.new-release-published }}
@@ -23,6 +26,8 @@ jobs:
   binary:
     runs-on: ubuntu-latest
     needs: semantic-release
+    permissions:
+      contents: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
@@ -61,6 +66,9 @@ jobs:
   docker:
     needs: semantic-release
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -17,7 +17,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install deps
-        uses: flanksource/deps@v1.0.28
+        uses: flanksource/deps@f04324f706a671af0fd0b1d7f9a708c9ec1643f4 # v1.0.28
         with:
           tools: |
             bun
@@ -48,7 +48,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install deps
-        uses: flanksource/deps@v1.0.28
+        uses: flanksource/deps@f04324f706a671af0fd0b1d7f9a708c9ec1643f4 # v1.0.28
         with:
           tools: |
             bun
@@ -99,7 +99,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install deps
-        uses: flanksource/deps@v1.0.28
+        uses: flanksource/deps@f04324f706a671af0fd0b1d7f9a708c9ec1643f4 # v1.0.28
         with:
           tools: |
             bun
@@ -147,7 +147,7 @@ jobs:
           restore-keys: |
             cache-
       - name: Install deps
-        uses: flanksource/deps@v1.0.28
+        uses: flanksource/deps@f04324f706a671af0fd0b1d7f9a708c9ec1643f4 # v1.0.28
         with:
           tools: |
             bun
@@ -238,7 +238,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install deps
-        uses: flanksource/deps@v1.0.28
+        uses: flanksource/deps@f04324f706a671af0fd0b1d7f9a708c9ec1643f4 # v1.0.28
         with:
           tools: |
             bun
@@ -276,7 +276,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install deps
-        uses: flanksource/deps@v1.0.28
+        uses: flanksource/deps@f04324f706a671af0fd0b1d7f9a708c9ec1643f4 # v1.0.28
         with:
           tools: |
             etcd@v3.5.23

diff --git a/build/Dockerfile b/build/Dockerfile
@@ -8,7 +8,7 @@ COPY Makefile /app
 COPY external/diffgen /app/external/diffgen
 RUN make rust-diffgen
 
-FROM golang:1.26-bookworm AS builder-base
+FROM golang:1.26-bookworm@sha256:4f4ab2c90005e7e63cb631f0b4427f05422f241622ee3ec4727cc5febbf83e34 AS builder-base
 WORKDIR /app
 
 ARG VERSION

diff --git a/build/Dockerfile.debug b/build/Dockerfile.debug
@@ -5,7 +5,7 @@ COPY Makefile /app
 COPY external/diffgen /app/external/diffgen
 RUN make rust-diffgen
 
-FROM golang:1.26-bookworm AS builder
+FROM golang:1.26-bookworm@sha256:4f4ab2c90005e7e63cb631f0b4427f05422f241622ee3ec4727cc5febbf83e34 AS builder
 WORKDIR /app
 
 ARG VERSION

diff --git a/scrapers/file/file.go b/scrapers/file/file.go
@@ -1,7 +1,7 @@
 package file
 
 import (
-	"crypto/md5"
+	"crypto/sha256"
 	"encoding/hex"
 	"net/url"
 	"os"
@@ -57,7 +57,7 @@ func convertToLocalPath(uri string) string {
 	if err != nil {
 		return uri
 	}
-	hash := md5.Sum([]byte(uri))
+	hash := sha256.Sum256([]byte(stripSecrets(uri)))
 	p := ""
 	if _uri.Host != "" {
 		p = _uri.Host + "-"

diff --git a/scrapers/file/file_test.go b/scrapers/file/file_test.go
@@ -30,9 +30,9 @@ var _ = Describe("convertToLocalPath", func() {
 		func(input, expected string) {
 			Expect(convertToLocalPath(input)).To(Equal(expected))
 		},
-		Entry("file:// prefix", "file://foo", "foo-ecf5c8ee"),
-		Entry("git:: prefix", "git::foo", "foo-b943d8a5"),
-		Entry("git:: with URL and query", "git::https://foo/path?query=abc", "foo-path-8f49fbdc"),
-		Entry("plain path", "foo", "foo-acbd18db"),
+		Entry("file:// prefix", "file://foo", "foo-2c26b46b"),
+		Entry("git:: prefix", "git::foo", "foo-2c26b46b"),
+		Entry("git:: with URL and query", "git::https://foo/path?query=abc", "foo-path-90c2b34a"),
+		Entry("plain path", "foo", "foo-2c26b46b"),
 	)
 })