ci: Pin all gh actions to commit SHAs (#239)

Author: estebany-qd

.github/workflows/label-enforcer.yaml

@@ -10,6 +10,6 @@ jobs:
       pull-requests: write # for TimonVS/pr-labeler-action to add labels in PR
     runs-on: ubuntu-latest
     steps:
-    - uses: TimonVS/pr-labeler-action@v5
+    - uses: TimonVS/pr-labeler-action@f9c084306ce8b3f488a8f3ee1ccedc6da131d1af # v5.0.0
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/mergedtomain-workflow.yaml

@@ -18,15 +18,15 @@ jobs:
       pull-requests: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Extract build info
         id: extract_build_info
         run: |
           echo "commit_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
 
       - name: Update Release Draft
-        uses: release-drafter/release-drafter@v7
+        uses: release-drafter/release-drafter@139054aeaa9adc52ab36ddf67437541f039b88e2 # v7.1.1
         with:
           disable-autolabeler: true
           commitish: main

.github/workflows/pr-workflow.yaml

@@ -14,9 +14,9 @@ jobs:
     timeout-minutes: 10 # Sets a timeout of 10 minutes for this job (default is 1 minute)
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version: '^1.25'
           cache: false
@@ -40,7 +40,7 @@ jobs:
           files=$(gofmt -l .) && echo $files && [ -z "$files" ]
 
       - name: Golang CI Lint
-        uses: golangci/golangci-lint-action@v9
+        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
         with:
           version: v2.10.1 # Specify the golangci-lint version, so we are stable
 
@@ -49,7 +49,7 @@ jobs:
           make gen
 
       - name: Ensure that make gen did not result in changes
-        uses: CatChen/check-git-status-action@v2
+        uses: CatChen/check-git-status-action@cc5a79733c441f67cd0cd076de116cd2eebcebfe # v2.1.3
         with:
           fail-if-not-clean: true
 

.github/workflows/release-workflow.yaml

@@ -18,7 +18,7 @@ jobs:
       id-token: write  # needed for cosign keyless signing with OIDC
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Extract build info
         id: extract_build_info
@@ -27,10 +27,10 @@ jobs:
           echo "commit_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@v4.1.0
+        uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
 
       - name: Login to registry.cloud.qdrant.io
-        uses: docker/login-action@v4
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           registry: registry.cloud.qdrant.io
           username: ${{ secrets.HARBOR_USERNAME }}
@@ -48,7 +48,7 @@ jobs:
           git push origin ${{ steps.extract_build_info.outputs.tag }}
 
       - name: Publish Release Notes
-        uses: release-drafter/release-drafter@v7
+        uses: release-drafter/release-drafter@139054aeaa9adc52ab36ddf67437541f039b88e2 # v7.1.1
         with:
           disable-autolabeler: true
           commitish: ${{ github.ref }}