workflows: pin all actions to SHA

[patrick-stephens]

Used pinact to switch all actions to use pinned SHA values rather than release or, even worse, floating master branches.

$ pinact init
$ pinact run --update

Replaced some unsupported actions with better ones that have SHA support:

• ActionLint
• ShellCheck

Removed unused workflows to reduce maintenance and complexity burden:

• Perf test
• DockerHub update

The only outstanding one is the OSS fuzzer action: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master

ERROR failed to handle a line: action can't be pinned
.github/workflows/pr-fuzz.yaml:18
      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
ERROR failed to handle a line: action can't be pinned
.github/workflows/pr-fuzz.yaml:24
      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master

@DavidKorczynski can we switch it to using a specific SHA rather than relying on that floating master branch? That way we can also enable the option to require pinned SHAs for this repo too.

---

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

• Example configuration file for the change
• Debug log output from testing the change

• Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

• Run local packaging test showing all targets (including any new ones) build.
• Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

• Documentation required for this feature

Backporting

• Backport to latest stable release.

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

• Chores
  • Pinned third‑party CI actions to fixed commit SHAs across many workflows for more reproducible and stable builds.
  • Added a new configuration file to manage action‑pinning rules.
• Chores (CI tweaks)
  • Standardized checkout steps (explicit credential handling) and updated lint-related workflow steps for consistent CI behavior.
• Revert / Removed
  • Removed the performance‑testing workflow that ran labeled PR perf jobs, plots, and automatic labeling.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f9ffcfd5-a07a-41e0-afad-cb2dd0566ffd

📥 Commits

Reviewing files that changed from the base of the PR and between 90cb2ca and c73b1b2.

📒 Files selected for processing (9)

• .github/actions/generate-package-build-matrix/action.yaml
• .github/workflows/call-integration-image-build.yaml
• .github/workflows/call-test-packages.yaml
• .github/workflows/pr-image-tests.yaml
• .github/workflows/pr-install-script.yaml
• .github/workflows/pr-lint.yaml
• .github/workflows/pr-package-tests.yaml
• .github/workflows/unit-tests.yaml
• .github/workflows/update-dockerhub.yaml

💤 Files with no reviewable changes (1)

• .github/workflows/update-dockerhub.yaml

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/pr-install-script.yaml

🚧 Files skipped from review as they are similar to previous changes (5)

• .github/actions/generate-package-build-matrix/action.yaml
• .github/workflows/call-integration-image-build.yaml
• .github/workflows/pr-image-tests.yaml
• .github/workflows/pr-lint.yaml
• .github/workflows/call-test-packages.yaml

---

📝 Walkthrough

Walkthrough

This PR pins many GitHub Actions usages to explicit commit SHAs across build, test, release, lint, and cron workflows, adds a .pinact.yaml pin configuration, and removes the pr-perf-test.yaml workflow.

Changes

GitHub Actions Supply Chain Hardening

Layer / File(s)	Summary
Build infrastructure .github/actions/generate-package-build-matrix/action.yaml, .github/workflows/call-build-*.yaml	Composite action and build workflows (images, Linux packages, macOS, Windows) now use SHA-pinned actions/checkout, Docker tooling (docker/setup-buildx-action, docker/login-action, docker/build-push-action), artifact handling (actions/upload-artifact, actions/download-artifact), metadata extraction, scanning, and signing actions. No build logic changed.
Test & validation workflows .github/workflows/call-integration-image-build.yaml, .github/workflows/call-test-images.yaml, .github/workflows/call-run-integration-test.yaml, .github/workflows/call-windows-unit-tests.yaml, .github/workflows/unit-tests.yaml, .github/workflows/pr-image-tests.yaml, .github/workflows/pr-image-tests.yaml	Image builds, integration tests (Terraform, KIND, GKE), unit tests, and image testing workflows pin checkout, build tools, KIND/Helm/kubectl, and test-runner actions to SHAs. Test orchestration and commands unchanged.
PR lint modernization .github/workflows/pr-lint.yaml	PR lint workflow pins action refs, adds job-level permissions, sets persist-credentials: false on checkout steps, and replaces legacy runners with pinned reviewdog-based Hadolint/Shellcheck/Actionlint actions and configured reporters.
PR validation workflows .github/workflows/pr-*.yaml, .github/actions/*	PR image, install, package, compile-check, commit-message, and fuzz workflows pin checkout, build, artifact, and reporting actions to SHAs while keeping existing job wiring and conditions.
Release & staging pipeline .github/workflows/staging-build.yaml, .github/workflows/staging-release.yaml	Staging build and release workflows pin checkout, artifact, Docker login, GPG import, cosign, release creation, and PR creation actions to SHAs across promotion and signing jobs. No change to job structure or conditionals.
CI maintenance & pin config .github/workflows/cron-*.yaml, .github/workflows/pr-closed-docker.yaml, .pinact.yaml	Maintenance, analysis, and scheduled workflows pin actions to SHAs; .pinact.yaml is added containing pinact schema and version with commented ignore examples. pr-perf-test.yaml was removed.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested labels

security

Suggested reviewers

• niedbalski
• celalettin1286

Poem

🐰 I hop through YAML, paws neat and small,
Pinning each action so workflows won’t fall.
Builds stay steady, tests dance in a line,
Keys locked to SHAs — tidy and fine.
Hooray, says the rabbit, CI secure for all!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'workflows: pin all actions to SHA' clearly and concisely summarizes the main change across all modified workflow files, which is pinning GitHub Actions to specific commit SHAs instead of floating version tags.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch pin_actions_to_sha

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[patrick-stephens]

@lecaros related to #11846 (comment)