From 64d553ba53c91dce14d708dd85917ef45263aa6c Mon Sep 17 00:00:00 2001
From: checkmarx-kobi-hagmi <kobi.hagmi@checkmarx.com>
Date: Tue, 11 Jun 2024 10:25:26 +0300
Subject: [PATCH] Fixed iac issues

---
 .github/workflows/ast-scan.yml                     | 2 +-
 .github/workflows/delete-packages-and-releases.yml | 2 +-
 .github/workflows/dependabot-auto-merge.yml        | 4 ++--
 .github/workflows/release.yml                      | 8 ++++----
 .github/workflows/update-cli.yml                   | 2 +-
 5 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/ast-scan.yml b/.github/workflows/ast-scan.yml
index fecc999b..e0427c56 100644
--- a/.github/workflows/ast-scan.yml
+++ b/.github/workflows/ast-scan.yml
@@ -9,7 +9,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Checkmarx AST CLI Action
-        uses: checkmarx/ast-github-action@main
+        uses: checkmarx/ast-github-action@831a8d51a8a0535c0399f9c12728d8d3cc22d850 #main (currently 2.0.28)
         with:
           base_uri: ${{ secrets.BASE_URI }}
           cx_tenant: ${{ secrets.TENANT }}
diff --git a/.github/workflows/delete-packages-and-releases.yml b/.github/workflows/delete-packages-and-releases.yml
index 62502e9c..ebc272d8 100644
--- a/.github/workflows/delete-packages-and-releases.yml
+++ b/.github/workflows/delete-packages-and-releases.yml
@@ -41,7 +41,7 @@ jobs:
 
       - name: Delete releases and tags
         continue-on-error: true
-        uses: dev-drprasad/delete-older-releases@v0.3.4
+        uses: dev-drprasad/delete-older-releases@dfbe6be2a006e9475dfcbe5b8d201f1824c2a9fe #v0.3.4
         env:
           GITHUB_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
         with:
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index 96f9cf00..00a566e7 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -11,7 +11,7 @@ jobs:
     steps:
       - name: Dependabot metadata
         id: metadata
-        uses: dependabot/fetch-metadata@v2.1.0
+        uses: dependabot/fetch-metadata@5e5f99653a5b510e8555840e80cbf1514ad4af38 #v2.1.0
         with:
           github-token: "${{ secrets.PERSONAL_ACCESS_TOKEN  }}"
       - name: Enable auto-merge for Dependabot PRs
@@ -20,6 +20,6 @@ jobs:
           GITHUB_TOKEN: ${{secrets.PERSONAL_ACCESS_TOKEN }}
         run: gh pr merge --auto --merge "$PR_URL"
       - name: Auto approve dependabot PRs
-        uses: hmarr/auto-approve-action@v4
+        uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 #v4
         with:
           github-token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1cced494..50d7e320 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -96,7 +96,7 @@ jobs:
       - name: Create Pull Request
         id: create_pr
         if: inputs.dev == false
-        uses: peter-evans/create-pull-request@v6.0.5
+        uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e #v6.0.5
         with:
           token: ${{ env.GITHUB_TOKEN }}
           branch: ${{ env.BRANCH_NAME }}
@@ -109,14 +109,14 @@ jobs:
       - name: Wait for PR to be created
         id: pr
         if: inputs.dev == false
-        uses: octokit/request-action@v2.3.1
+        uses: octokit/request-action@872c5c97b3c85c23516a572f02b31401ef82415d #v2.3.1
         with:
           route: GET /repos/${{ github.repository }}/pulls?head=${{ github.repository_owner }}:${{ env.BRANCH_NAME }}
 
       # MERGE PR TO MAIN
       - name: Merge Pull Request
         if: inputs.dev == false
-        uses: octokit/request-action@v2.3.1
+        uses: octokit/request-action@872c5c97b3c85c23516a572f02b31401ef82415d #v2.3.1
         with:
           route: PUT /repos/${{ github.repository }}/pulls/${{ steps.create_pr.outputs.pull-request-number }}/merge
           merge_method: squash
@@ -134,7 +134,7 @@ jobs:
 
       # CREATE RELEASE
       - name: Create Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@a6c7483a42ee9d5daced968f6c217562cd680f7f #v2
         with:
           name: ${{env.TAG_NAME}}
           tag_name: ${{env.TAG_NAME}}
diff --git a/.github/workflows/update-cli.yml b/.github/workflows/update-cli.yml
index 43eff086..67e21283 100644
--- a/.github/workflows/update-cli.yml
+++ b/.github/workflows/update-cli.yml
@@ -29,7 +29,7 @@ jobs:
           ./.github/scripts/update_cli.sh ${{ steps.checkmarx-ast-cli.outputs.release_tag }}
       - name: Create Pull Request
         if: steps.checkmarx-ast-cli.outputs.current_tag != steps.checkmarx-ast-cli.outputs.release_tag
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 #v6
         with:
           token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
           commit-message: Update checkmarx-ast-cli to ${{ steps.checkmarx-ast-cli.outputs.release_tag }}