ci: pin digests of github actions

Signed-off-by: nscuro <nscuro@protonmail.com>

.github/workflows/ci.yml

@@ -12,7 +12,7 @@ on:
     paths-ignore:
     - examples/**
 
-permissions: {}
+permissions: { }
 
 jobs:
   licensecheck:
@@ -21,9 +21,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout Repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
     - name: Check license headers
-      uses: apache/skywalking-eyes@v0.4.0
+      uses: apache/skywalking-eyes@438e4ea5682269933ea2c8b5608662e52af26959 # tag=v0.4.0
       with:
         config: .licenserc.yml
 
@@ -33,18 +33,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout Repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
     - name: Setup Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # tag=v3.3.1
       with:
         go-version: "1.18"
         check-latest: true
     - name: Run golangci-lint
-      uses: golangci/golangci-lint-action@v3.3.0
+      uses: golangci/golangci-lint-action@07db5389c99593f11ad7b44463c2d4233066a9b1 # tag=v3.3.0
       with:
         version: latest
     - name: Scan Dockerfiles
-      uses: aquasecurity/trivy-action@0.7.1
+      uses: aquasecurity/trivy-action@d63413b0a4a4482237085319f7f4a1ce99a8f2ac # tag=0.7.1
       with:
         scan-type: config
         skip-files: "Dockerfile.examples,Dockerfile.gitpod"
@@ -57,7 +57,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Setup Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # tag=v3.3.1
       with:
         go-version: "1.18"
         check-latest: true
@@ -69,6 +69,6 @@ jobs:
         echo "691cf7ed82ecce1f85e6d21bccd1ed2d7968e40eb6be7504b392c8b3a0943891 $HOME/.local/bin/cyclonedx" | sha256sum -c
         chmod +x "$HOME/.local/bin/cyclonedx"
     - name: Checkout Repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
     - name: Test
       run: make test

.github/workflows/codeql-analysis.yml

@@ -8,22 +8,23 @@ on:
     branches:
     - main
 
-permissions:
-  security-events: write
+permissions: { }
 
 jobs:
   analyze:
     name: Analyze
     timeout-minutes: 10
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
     steps:
     - name: Checkout Repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@f0a12816612c7306b485a22cb164feb43c6df818 # tag=v2.11.2
       with:
         languages: "go"
     - name: Run Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@f0a12816612c7306b485a22cb164feb43c6df818 # tag=v2.11.2
     - name: Perform Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@f0a12816612c7306b485a22cb164feb43c6df818 # tag=v2.11.2

.github/workflows/goreleaser-ci.yml

@@ -1,9 +1,9 @@
 name: GoReleaser CI
 
 on:
-  workflow_dispatch: {}
+  workflow_dispatch: { }
 
-permissions: {}
+permissions: { }
 
 jobs:
   goreleaser-ci:
@@ -12,18 +12,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout Repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
       with:
         fetch-depth: 0
     - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # tag=v3.3.1
       with:
         go-version: "1.18"
         check-latest: true
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@v2
+      uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # tag=v2.1.0
     - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@v3.2.0
+      uses: goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757 # tag=v3.2.0
       with:
-        version: 1.10.3
+        version: latest
         args: release --skip-publish --skip-sign --snapshot

.github/workflows/goreleaser.yml

@@ -5,37 +5,38 @@ on:
     tags:
     - 'v*'
 
-permissions:
-  contents: write # needed to write releases
-  id-token: write # needed for keyless signing
+permissions: { }
 
 jobs:
   goreleaser:
     name: Release
     timeout-minutes: 10
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed to write releases
+      id-token: write # needed for keyless signing
     steps:
     - name: Checkout Repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
       with:
         fetch-depth: 0
     - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # tag=v3.3.1
       with:
         go-version: "1.18"
         check-latest: true
-    - uses: sigstore/cosign-installer@v2.7.0
+    - uses: sigstore/cosign-installer@ced07f21fb1da67979f539bbc6304c16c0677e76 # tag=v2.7.0
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@v2
+      uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # tag=v2.1.0
     - name: Docker login
-      uses: docker/login-action@v2
+      uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0
       with:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_TOKEN }}
     - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@v3.2.0
+      uses: goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757 # tag=v3.2.0
       with:
-        version: 1.10.3
+        version: latest
         args: release --rm-dist
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}