chore(deps): pin dependencies (#6)

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs
from Renovate will soon appear from 'Mend'. Learn more
[here](https://redirect.github.com/renovatebot/renovate/discussions/37842).

This PR contains the following updates:

| Package | Type | Update | Change | OpenSSF |
|---|---|---|---|---|
|
[1password/load-secrets-action](https://redirect.github.com/1password/load-secrets-action)
| action | pinDigest | -> `13f58ee` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/1password/load-secrets-action/badge)](https://securityscorecards.dev/viewer/?uri=github.com/1password/load-secrets-action)
|
| [actions/checkout](https://redirect.github.com/actions/checkout) |
action | pinDigest | -> `08c6903` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/actions/checkout/badge)](https://securityscorecards.dev/viewer/?uri=github.com/actions/checkout)
|
|
[actions/setup-python](https://redirect.github.com/actions/setup-python)
| action | pinDigest | -> `a26af69` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/actions/setup-python/badge)](https://securityscorecards.dev/viewer/?uri=github.com/actions/setup-python)
|
| [azure/setup-helm](https://redirect.github.com/azure/setup-helm) |
action | pinDigest | -> `1a275c3` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/azure/setup-helm/badge)](https://securityscorecards.dev/viewer/?uri=github.com/azure/setup-helm)
|
|
[docker/build-push-action](https://redirect.github.com/docker/build-push-action)
| action | pinDigest | -> `2634353` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/docker/build-push-action/badge)](https://securityscorecards.dev/viewer/?uri=github.com/docker/build-push-action)
|
| [docker/login-action](https://redirect.github.com/docker/login-action)
| action | pinDigest | -> `184bdaa` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/docker/login-action/badge)](https://securityscorecards.dev/viewer/?uri=github.com/docker/login-action)
|
|
[docker/metadata-action](https://redirect.github.com/docker/metadata-action)
| action | pinDigest | -> `c1e5197` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/docker/metadata-action/badge)](https://securityscorecards.dev/viewer/?uri=github.com/docker/metadata-action)
|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
| action | pinDigest | -> `192325c` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/github/codeql-action/badge)](https://securityscorecards.dev/viewer/?uri=github.com/github/codeql-action)
|
|
[helm/chart-testing-action](https://redirect.github.com/helm/chart-testing-action)
| action | pinDigest | -> `0d28d31` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/helm/chart-testing-action/badge)](https://securityscorecards.dev/viewer/?uri=github.com/helm/chart-testing-action)
|
| [helm/kind-action](https://redirect.github.com/helm/kind-action) |
action | pinDigest | -> `a1b0e39` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/helm/kind-action/badge)](https://securityscorecards.dev/viewer/?uri=github.com/helm/kind-action)
|
| [lefthook](https://redirect.github.com/evilmartians/lefthook) |
dependencies | pin | [`^1.13.0` ->
`1.13.0`](https://renovatebot.com/diffs/npm/lefthook/1.13.0/1.13.0) |
[![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/evilmartians/lefthook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/evilmartians/lefthook)
|
|
[namespacelabs/nscloud-checkout-action](https://redirect.github.com/namespacelabs/nscloud-checkout-action)
| action | pinDigest | -> `953fed3` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/namespacelabs/nscloud-checkout-action/badge)](https://securityscorecards.dev/viewer/?uri=github.com/namespacelabs/nscloud-checkout-action)
|
| [python](https://redirect.github.com/actions/python-versions) |
uses-with | pin | `3.x` -> `3.13.7` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/actions/python-versions/badge)](https://securityscorecards.dev/viewer/?uri=github.com/actions/python-versions)
|
| [yaml](https://eemeli.org/yaml/)
([source](https://redirect.github.com/eemeli/yaml)) | dependencies | pin
| [`^2.8.1` ->
`2.8.1`](https://renovatebot.com/diffs/npm/yaml/2.8.1/2.8.1) |
[![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/eemeli/yaml/badge)](https://securityscorecards.dev/viewer/?uri=github.com/eemeli/yaml)
|

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/settlemint/network-bootstrapper).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS45Ny4xMCIsInVwZGF0ZWRJblZlciI6IjQxLjk3LjEwIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Author: renovate[bot]

.github/workflows/codeql.yml

@@ -57,7 +57,7 @@ jobs:
         # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       # Add any setup steps before running the `github/codeql-action/init` action.
       # This includes steps like installing compilers or runtimes (`actions/setup-node`
@@ -67,7 +67,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3 # v3
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
@@ -95,6 +95,6 @@ jobs:
           exit 1
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # v3
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/qa.yml

@@ -41,18 +41,18 @@ jobs:
       packages: write
     steps:
       - name: Checkout repository
-        uses: namespacelabs/nscloud-checkout-action@v7
+        uses: namespacelabs/nscloud-checkout-action@953fed31a6113cc2347ca69c9d823743c65bc84b # v7
         with:
           fetch-depth: ${{ github.event_name == 'push' && 2 || 0 }}
 
       - name: Setup 1Password
-        uses: 1password/load-secrets-action/configure@v3
+        uses: 1password/load-secrets-action/configure@13f58eec611f8e5db52ec16247f58c508398f3e6 # v3
         with:
           service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
 
       - name: Load all secrets
         id: secrets
-        uses: 1password/load-secrets-action@v3
+        uses: 1password/load-secrets-action@13f58eec611f8e5db52ec16247f58c508398f3e6 # v3
         with:
           export-env: true
         env:
@@ -99,7 +99,7 @@ jobs:
         if: |
           github.event_name == 'push' ||
           (github.event_name == 'pull_request' && github.event.pull_request.draft == false)
-        uses: docker/login-action@v3
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -130,7 +130,7 @@ jobs:
       - name: Docker meta
         if: github.event_name == 'pull_request' || github.event_name == 'push'
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5
         with:
           images: |
             ghcr.io/settlemint/network-bootstrapper
@@ -146,7 +146,7 @@ jobs:
 
       - name: Build and push
         if: github.event_name == 'pull_request' || github.event_name == 'push'
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         with:
           context: .
           push: true
@@ -158,18 +158,18 @@ jobs:
 
       - name: Set up Python
         if: github.event_name == 'pull_request' || github.event_name == 'push'
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
-          python-version: "3.x"
+          python-version: "3.13.7"
           check-latest: true
 
       - name: Set up Helm
         if: github.event_name == 'pull_request' || github.event_name == 'push'
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
 
       - name: Set up chart-testing
         if: github.event_name == 'pull_request' || github.event_name == 'push'
-        uses: helm/chart-testing-action@v2.7.0
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
 
       - name: Determine chart changes
         if: github.event_name == 'pull_request' || github.event_name == 'push'
@@ -194,7 +194,7 @@ jobs:
 
       - name: Create kind cluster
         if: (github.event_name == 'pull_request' || github.event_name == 'push') && steps.ct-changed.outputs.changed == 'true'
-        uses: helm/kind-action@v1.12.0
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
 
       - name: Run chart-testing (install)
         if: (github.event_name == 'pull_request' || github.event_name == 'push') && steps.ct-changed.outputs.changed == 'true'
@@ -253,7 +253,7 @@ jobs:
         if: |
           github.event_name == 'push' ||
           (github.event_name == 'pull_request' && github.event.pull_request.draft == false)
-        uses: docker/login-action@v3
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
         with:
           registry: harbor.settlemint.com
           username: ${{ env.HARBOR_USER }}
@@ -348,17 +348,17 @@ jobs:
       SLACK_CHANNEL_ID: ""
     steps:
       - name: Checkout repository
-        uses: namespacelabs/nscloud-checkout-action@v7
+        uses: namespacelabs/nscloud-checkout-action@953fed31a6113cc2347ca69c9d823743c65bc84b # v7
         with:
           fetch-depth: ${{ github.event_name == 'push' && 2 || 0 }}
 
       - name: Setup 1Password
-        uses: 1password/load-secrets-action/configure@v3
+        uses: 1password/load-secrets-action/configure@13f58eec611f8e5db52ec16247f58c508398f3e6 # v3
         with:
           service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
 
       - name: Load Slack secrets
-        uses: 1password/load-secrets-action@v3
+        uses: 1password/load-secrets-action@13f58eec611f8e5db52ec16247f58c508398f3e6 # v3
         with:
           export-env: true
         env:
@@ -402,17 +402,17 @@ jobs:
       SLACK_CHANNEL_ID: ""
     steps:
       - name: Checkout repository
-        uses: namespacelabs/nscloud-checkout-action@v7
+        uses: namespacelabs/nscloud-checkout-action@953fed31a6113cc2347ca69c9d823743c65bc84b # v7
         with:
           fetch-depth: ${{ github.event_name == 'push' && 2 || 0 }}
 
       - name: Setup 1Password
-        uses: 1password/load-secrets-action/configure@v3
+        uses: 1password/load-secrets-action/configure@13f58eec611f8e5db52ec16247f58c508398f3e6 # v3
         with:
           service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
 
       - name: Load Slack secrets
-        uses: 1password/load-secrets-action@v3
+        uses: 1password/load-secrets-action@13f58eec611f8e5db52ec16247f58c508398f3e6 # v3
         with:
           export-env: true
         env:

bun.lock

@@ -42,10 +42,10 @@
     "@inquirer/prompts": "7.8.6",
     "@kubernetes/client-node": "1.3.0",
     "commander": "14.0.1",
-    "lefthook": "^1.13.0",
+    "lefthook": "1.13.0",
     "ox": "0.9.6",
     "viem": "2.37.6",
-    "yaml": "^2.8.1",
+    "yaml": "2.8.1",
     "zod": "4.1.9"
   }
 }