chore(deps): pin dependencies

.github/actions/pr-title-check/action.yaml

@@ -4,12 +4,12 @@ runs:
   using: composite
   steps:
     - name: Check PR title
-      uses: Slashgear/action-check-pr-title@v4
+      uses: Slashgear/action-check-pr-title@860e8dc639f8e60335a6f5e8936ba67ed2536890 # v4
       with:
         regexp: '^(\[(develop|development|staging)\]\s)?(build|chore|ci|docs|feat|feature|fix|perf|refactor|revert|style|test|release|ignore)(\([\w\- ]+\))?!?: (.+)'
         helpMessage: "Example: 'feat(app-ui): Add new dashboard component (WEB-123)'"
     - name: Check for Jira link in PR description
-      uses: actions/github-script@v9
+      uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
       with:
         script: |
           const prBody = context.payload.pull_request.body || '';

.github/workflows/allow-deploys.yml

@@ -23,7 +23,7 @@ jobs:
     runs-on: linux-arm64
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       # Enable CD on merge to main
       - name: Enable ${{ inputs.workflow }} workflow

.github/workflows/block-deploys.yml

@@ -23,7 +23,7 @@ jobs:
     runs-on: linux-arm64
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       # Disable CD on merge to main
       - name: Disable ${{ inputs.workflow }} workflow

.github/workflows/code-coverage-kotlin.yml

@@ -97,7 +97,7 @@ jobs:
     timeout-minutes: ${{ inputs.test-timeout-minutes }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Validate service-name format
         run: |
           if ! echo "${{ inputs.service-name }}" | grep -qE '^[a-z0-9]+(-[a-z0-9]+)*$'; then
@@ -107,7 +107,7 @@ jobs:
           fi
           echo "✓ service-name '${{ inputs.service-name }}' is valid"
       - name: Set up JDK
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           java-version: ${{ inputs.java-version }}
           distribution: "corretto"
@@ -123,7 +123,7 @@ jobs:
           gradle-tasks: "test koverXmlReport"
           gradle-args: ${{ inputs.gradle-args }}
       - name: Upload coverage report
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: coverage-report-${{ inputs.service-name }}
           path: ${{ inputs.kover-report-path }}
@@ -135,13 +135,13 @@ jobs:
     runs-on: linux-arm64
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Check if can access Dev Lens
         run: |
           curl --retry 3 --retry-delay 5 --retry-all-errors -f -s -o /dev/null --max-time 30 https://dev-lens.staging.monta.app/health
       - name: Download coverage report
         id: download-coverage
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: coverage-report-${{ inputs.service-name }}
       - name: Set coverage report path

.github/workflows/component-build.yml

@@ -99,7 +99,7 @@ jobs:
       runner-arm64: ${{ steps.runner-arm64.outputs.runner-name }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ inputs.git-sha || github.sha }}
       - name: Get x64 runner name
@@ -140,29 +140,29 @@ jobs:
             runner: ${{ needs.setup.outputs.runner-arm64 }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ inputs.git-sha || github.sha }}
       - name: Configure AWS credentials via assumed role
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6
         with:
           role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ecr-put-image
           role-session-name: push-new-image-to-${{ inputs.service-identifier }}-${{inputs.stage}}
           aws-region: ${{ inputs.region }}
       - name: Login to Amazon ECR
         id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v2
+        uses: aws-actions/amazon-ecr-login@19d944daaa35f0fa1d3f7f8af1d3f2e5de25c5b7 # v2
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
         with:
           images: ${{ steps.login-ecr.outputs.registry }}/${{ inputs.ecr-repository-name || format('{0}-{1}', inputs.service-identifier, inputs.stage) }}
           tags: |
             type=raw,value=${{ inputs.git-sha || github.sha }},suffix=-${{ matrix.arch }}
             type=raw,value=latest,suffix=-${{ matrix.arch }}
       - name: Build and push
         id: build
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
         env:
           BUILDX_NO_DEFAULT_ATTESTATIONS: 1
         with:
@@ -201,14 +201,14 @@ jobs:
       image-tag: ${{ inputs.git-sha || github.sha }}
     steps:
       - name: Configure AWS credentials via assumed role
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6
         with:
           role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ecr-put-image
           role-session-name: create-manifest-${{ inputs.service-identifier }}-${{inputs.stage}}
           aws-region: ${{ inputs.region }}
       - name: Login to Amazon ECR
         id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v2
+        uses: aws-actions/amazon-ecr-login@19d944daaa35f0fa1d3f7f8af1d3f2e5de25c5b7 # v2
       - name: Create and push manifest
         run: |
           # Enable experimental features

.github/workflows/component-deploy-v2.yml

@@ -108,7 +108,7 @@ jobs:
           slack-channel-id: "C01KL9FUPNK"
           slack-message-id: ${{ inputs.slack-message-id }}
       - name: Check out service repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           repository: monta-app/${{ inputs.repository-name || format('service-{0}', inputs.service-identifier) }}
           path: 'service-repo'

.github/workflows/component-deploy.yml

@@ -101,7 +101,7 @@ jobs:
           slack-channel-id: "C01KL9FUPNK"
           slack-message-id: ${{ inputs.slack-message-id }}
       - name: Check out manifest repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           repository: monta-app/kube-manifests
           path: 'manifests'

.github/workflows/component-service-profile-kotlin.yml

@@ -41,9 +41,9 @@ jobs:
     runs-on: linux-arm64
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Set up JDK
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           distribution: "corretto"
           java-version: ${{ inputs.java-version }}
@@ -109,7 +109,7 @@ jobs:
               {"condition": {"method": "OPTIONS"}, "name": "OPTIONS [Default]"}
             ]' > service-profile.yml
       - name: Check out manifest repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           path: 'manifests'
           repository: monta-app/kube-manifests
@@ -154,7 +154,7 @@ jobs:
           fi
       - name: Push changes
         if: always() && steps.commit-changes.outputs.has_changes == 'true'
-        uses: ad-m/github-push-action@master
+        uses: ad-m/github-push-action@d30dc2d070765d7e509df00c34c5fa2dd636ff74 # master
         with:
           directory: './manifests'
           github_token: ${{ secrets.MANIFEST_REPO_PAT }}

.github/workflows/component-test-kotlin.yml

@@ -72,9 +72,9 @@ jobs:
     timeout-minutes: 30
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Set up JDK
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           distribution: "corretto"
           java-version: ${{ inputs.java-version }}
@@ -91,7 +91,7 @@ jobs:
           gradle-args: ${{ inputs.gradle-args }}
       - name: Upload test results
         if: always()
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: test-result-${{ inputs.gradle-module || 'root' }}
           path: |

.github/workflows/component-test-python.yml

@@ -74,7 +74,7 @@ jobs:
     timeout-minutes: 30
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Setup Docker Compose
         if: ${{ inputs.docker-compose-path }}
         uses: monta-app/github-workflows/.github/actions/docker-compose-setup@main
@@ -85,11 +85,11 @@ jobs:
           echo "${{ secrets.TEST_ENV_FILE }}" > .env
           echo "Created .env file with $(wc -l < .env) lines"
       - name: Set up Python ${{ inputs.python-version }}
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: ${{ inputs.python-version }}
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
         with:
           enable-cache: true
           cache-dependency-glob: |
@@ -110,7 +110,7 @@ jobs:
             ${{ inputs.pytest-args }}
       - name: Upload test results
         if: always()
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: test-results-python-${{ inputs.python-version }}
           path: |

.github/workflows/create-release-tag.yml

@@ -17,7 +17,7 @@ jobs:
       contents: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/publish-tech-docs.yml

@@ -26,10 +26,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
-      - uses: actions/setup-node@v6
-      - uses: actions/setup-python@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: '3.14'
 

.github/workflows/pull-request-bun.yml

@@ -69,7 +69,7 @@ jobs:
     timeout-minutes: ${{ inputs.build-timeout-minutes }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
@@ -79,7 +79,7 @@ jobs:
         with:
           docker-compose-path: ${{ inputs.docker-compose-path }}
       - name: Setup Bun
-        uses: oven-sh/setup-bun@v2
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
         with:
           bun-version: "latest"
       - name: Install dependencies
@@ -103,7 +103,7 @@ jobs:
         run: |
           sudo apt-get install -y lcov
       - name: Report code coverage
-        uses: zgosalvez/github-actions-report-lcov@v7
+        uses: zgosalvez/github-actions-report-lcov@7d72c57ce4bc101a4a0bf9d726b6c435abde8439 # v7
         with:
           coverage-files: coverage/*lcov.info*
           minimum-coverage: 0

.github/workflows/pull-request-kotlin.yml

@@ -74,19 +74,19 @@ jobs:
     steps:
       # Checkout
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           # to check out the actual pull request commit, not the merge commit
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
       - name: Set up JDK
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           distribution: corretto
           java-version: ${{ inputs.java-version }}
           cache: 'gradle'
       - name: Cache SonarCloud packages
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         if: ${{ !inputs.skip-sonar }}
         with:
           path: ~/.sonar/cache
@@ -114,7 +114,7 @@ jobs:
           gradle-args: ${{ inputs.gradle-args }}
       - name: Upload test results
         if: always()
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: ${{ inputs.gradle-module || 'test-result' }}
           path: |
@@ -135,7 +135,7 @@ jobs:
           gradle-tasks: 'sonar'
           gradle-args: ${{ inputs.gradle-args }}
       - name: Add code coverage to PR
-        uses: mi-kas/kover-report@v2
+        uses: mi-kas/kover-report@e44de7f5f7a878ba9d0070c86aa5c470efd5e2d1 # v2
         with:
           title: Code Coverage ${{ inputs.gradle-module }}
           path: ${{ inputs.kover-report-path }}
@@ -145,7 +145,7 @@ jobs:
           update-comment: true
           coverage-counter-type: LINE
       - name: Publish test results
-        uses: EnricoMi/publish-unit-test-result-action@v2
+        uses: EnricoMi/publish-unit-test-result-action@c950f6fb443cb5af20a377fd0dfaa78838901040 # v2
         if: always()
         with:
           files: |

.github/workflows/pull-request-react.yml

@@ -75,17 +75,17 @@ jobs:
     timeout-minutes: ${{ inputs.build-timeout-minutes }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
       - name: Setup pnpm
-        uses: pnpm/action-setup@v6
+        uses: pnpm/action-setup@903f9c1a6ebcba6cf41d87230be49611ac97822e # v6
         with:
           version: ${{ inputs.pnpm-version || null }}
           run_install: false
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ inputs.node-version }}
           cache: pnpm

.github/workflows/pull-request.yml

@@ -16,10 +16,10 @@ jobs:
     runs-on: linux-arm64
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Run actionlint
-        uses: reviewdog/action-actionlint@v1
+        uses: reviewdog/action-actionlint@6fb7acc99f4a1008869fa8a0f09cfca740837d9d # v1
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           reporter: github-pr-review