chore(deps): pin dependencies

.github/workflows/build-test-push.yaml

@@ -48,7 +48,7 @@ jobs:
       checks: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4
         with:
           fetch-depth: 0
           submodules: true
@@ -60,7 +60,7 @@ jobs:
           docker compose run --rm ${{ inputs.compose_args }} ${{ inputs.service }} \
             -- ${{ inputs.test_args }}
       - name: Publish test result
-        uses: enricomi/publish-unit-test-result-action@v2
+        uses: enricomi/publish-unit-test-result-action@30eadd5010312f995f0d3b3cff7fe2984f69409e # v2
         if: always()
         with:
           junit_files: testing/junit.xml
@@ -71,7 +71,7 @@ jobs:
           docker compose run --rm --entrypoint "tar cvv ${{ inputs.artifacts }}/" ${{ inputs.service }} | tar x
       - name: Store build artifacts
         if: inputs.artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4
         with:
           name: artifacts
           path: ${{ inputs.artifacts }}*
@@ -88,7 +88,7 @@ jobs:
           echo "describe=${tag:-$( git describe --tags )}" >> "$GITHUB_ENV"
       - name: Setup auth
         id: baseproject
-        uses: ZeitOnline/gh-action-baseproject@v0
+        uses: ZeitOnline/gh-action-baseproject@8e4cc6e4fea8dced0d6edf3c7da84d1b92c6f610 # v0
         if: inputs.targets
         with:
           project_name: ${{ env.project }}
@@ -103,14 +103,14 @@ jobs:
             docker push $tag
           done
       - name: Import GPG key
-        uses: crazy-max/ghaction-import-gpg@v6
+        uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6
         if: inputs.versions
         with:
           gpg_private_key: ${{ secrets.ZON_OPS_GPG_KEY_PRIVATE }}
           git_user_signingkey: true
           git_commit_gpgsign: true
       - name: Set up Kustomize
-        uses: imranismail/setup-kustomize@v2
+        uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2
         if: inputs.versions
       - name: Pull recent changes
         if: ${{ inputs.versions && github.ref_type == 'branch' }}

.github/workflows/changelog-version.yaml

@@ -16,7 +16,7 @@ jobs:
       tag: ${{ steps.version.outputs.tag }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4
       - name: Get version
         id: version
         run: |

.github/workflows/git-describe.yaml

@@ -16,7 +16,7 @@ jobs:
       describe: ${{ steps.ghd.outputs.describe }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4
         with:
           fetch-depth: 0
       - name: Git describe

.github/workflows/git-tag.yaml

@@ -14,9 +14,9 @@ jobs:
       contents: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4
       - name: Import GPG key
-        uses: crazy-max/ghaction-import-gpg@v6
+        uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6
         with:
           gpg_private_key: ${{ secrets.ZON_OPS_GPG_KEY_PRIVATE }}
           git_user_signingkey: true

.github/workflows/k8s-validation.yaml

@@ -9,9 +9,9 @@ jobs:
       contents: read
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4
     - name: Set up kubectl
-      uses: azure/setup-kubectl@v3
+      uses: azure/setup-kubectl@901a10e89ea615cf61f57ac05cecdf23e7de06d8 # v3
     - name: Generate manifests
       run: |
         mkdir manifests

.github/workflows/nightwatch-build.yaml

@@ -29,7 +29,7 @@ jobs:
       tag: ${{ steps.tag.outputs.tag }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4
       - name: Set tag
         id: tag
         run: date +tag=%Y%m%d%H%M%S >> "$GITHUB_OUTPUT"
@@ -44,7 +44,7 @@ jobs:
           echo "image=${{ vars.GAR_DOCKER_REGISTRY }}/$project-nightwatch" >> "$GITHUB_ENV"
           echo "tag=${{ steps.tag.outputs.tag }}" >> "$GITHUB_ENV"
       - name: Setup auth
-        uses: ZeitOnline/gh-action-baseproject@v0
+        uses: ZeitOnline/gh-action-baseproject@8e4cc6e4fea8dced0d6edf3c7da84d1b92c6f610 # v0
         with:
           project_name: ${{ env.project }}
           environment: staging
@@ -53,11 +53,11 @@ jobs:
           gar_docker_auth: true
           vault_export_token: true
       - name: Setup buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3
         with:
           driver: docker
       - name: Build & push image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5
         with:
           context: smoketest
           target: nightwatch

.github/workflows/pre-commit.yaml

@@ -8,7 +8,7 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4
       - name: Install pre-commit
         run: pip install pre-commit
       - name: Run code checks

.github/workflows/release-notification.yaml

@@ -34,7 +34,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4
 
       - name: Set variables
         id: vars
@@ -47,14 +47,14 @@ jobs:
 
       - name: Baseproject
         id: baseproject
-        uses: ZeitOnline/gh-action-baseproject@v0
+        uses: ZeitOnline/gh-action-baseproject@8e4cc6e4fea8dced0d6edf3c7da84d1b92c6f610 # v0
         with:
             project_name: ${{ env.project }}
             environment: production
 
       - name: Retrieve secrets from Vault
         id: vault-secrets
-        uses: hashicorp/[email protected]
+        uses: hashicorp/vault-action@9c2d817b85b9fff56bcab21cb74b485aee9e9d73 # v2.8.1
         with:
             method: jwt
             url: ${{ steps.baseproject.outputs.vault_addr }}
@@ -64,7 +64,7 @@ jobs:
                 zon/v1/slack/hackbot HOOK_TOKEN;
 
       - name: Post release in slack channel
-        uses: fjogeleit/http-request-action@v1
+        uses: fjogeleit/http-request-action@0bd00a33db6f82063a3c6befd41f232f61d66583 # v1
         with:
             url: "https://hackbot.zon.zeit.de/${{ steps.vault-secrets.outputs.HOOK_TOKEN }}/deployment/releases"
             method: 'POST'

.github/workflows/set-images.yaml

@@ -17,15 +17,15 @@ jobs:
       contents: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4
       - name: Import GPG key
-        uses: crazy-max/ghaction-import-gpg@v6
+        uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6
         with:
           gpg_private_key: ${{ secrets.ZON_OPS_GPG_KEY_PRIVATE }}
           git_user_signingkey: true
           git_commit_gpgsign: true
       - name: Set up Kustomize
-        uses: imranismail/setup-kustomize@v2
+        uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2
       - name: Set image tags
         run: |
           cd ${{ inputs.location }}