From 8bb69484b887eb2e0718d5b2ba018c946bac314d Mon Sep 17 00:00:00 2001
From: m1rm <mail@miriam-mueller.com>
Date: Wed, 20 May 2026 11:59:32 +0200
Subject: [PATCH] security: harden github actions

---
 .github/actions/setup/action.yml  |  8 ++++----
 .github/workflows/ci.yml          | 18 ++++++++++++------
 .github/workflows/update-go.yml   |  5 +++--
 .github/workflows/update-pnpm.yml |  5 +++--
 4 files changed, 22 insertions(+), 14 deletions(-)

diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
index 85dcacad..7526bc19 100644
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -13,19 +13,19 @@ runs:
   using: "composite"
   steps:
     - name: Install Just
-      uses: extractions/setup-just@v3
+      uses: extractions/setup-just@53165ef7e734c5c07cb06b3c8e7b647c5aa16db3 #v4
       env:
           GITHUB_TOKEN: ${{ github.token }}
     - name: Install pnpm
-      uses: pnpm/action-setup@v4
+      uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 #v6.0.8
       if: ${{ !inputs.pnpm-version }}
     - name: Install pnpm (override)
-      uses: pnpm/action-setup@v4
+      uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 #v6.0.8
       if: ${{ inputs.pnpm-version }}
       with:
           version: ${{ inputs.pnpm-version }}
     - name: Set up Go
-      uses: actions/setup-go@v6
+      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c #v6.4.0
       with:
           go-version: ${{ inputs.go-version }}
           go-version-file: ${{ inputs.go-version && '' || 'go.mod' }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fa0a929e..77293296 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -10,11 +10,13 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - name: Checkout repository
-              uses: actions/checkout@v6
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+              with:
+                persist-credentials: false
             - name: Run Common Setup
               uses: ./.github/actions/setup
             - name: Cache Go tools
-              uses: actions/cache@v5
+              uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae #v5.0.5
               with:
                   path: |
                       ~/go/bin/golangci-lint
@@ -36,7 +38,9 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - name: Checkout repository
-              uses: actions/checkout@v6
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+              with:
+                persist-credentials: false
             - name: Run Common Setup
               uses: ./.github/actions/setup
             - name: Build Templates
@@ -49,13 +53,15 @@ jobs:
         needs: [lint, test]
         steps:
             - name: Checkout repository
-              uses: actions/checkout@v6
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+              with:
+                persist-credentials: false
             - name: Run Common Setup
               uses: ./.github/actions/setup
             - name: Build Application
               run: just build
             - name: Upload binary
-              uses: actions/upload-artifact@v7
+              uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
               if: github.ref == 'refs/heads/main'
               with:
                   name: pkgstatsd
@@ -68,7 +74,7 @@ jobs:
         if: github.ref == 'refs/heads/main'
         steps:
             - name: Download binary
-              uses: actions/download-artifact@v8
+              uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c #v8.0.1
               with:
                   name: pkgstatsd
             - name: Deploy
diff --git a/.github/workflows/update-go.yml b/.github/workflows/update-go.yml
index f872d265..b8e77275 100644
--- a/.github/workflows/update-go.yml
+++ b/.github/workflows/update-go.yml
@@ -10,9 +10,10 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - name: Checkout repository
-              uses: actions/checkout@v6
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
               with:
                   token: ${{ secrets.MAINTENANCE_TOKEN }}
+                  persist-credentials: false
             - name: Run Common Setup
               uses: ./.github/actions/setup
               with:
@@ -30,7 +31,7 @@ jobs:
             - name: Run Tests
               run: just test
             - name: Commit updates
-              uses: stefanzweifel/git-auto-commit-action@v7
+              uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 #v7.1.0
               with:
                   commit_message: Update Go dependencies
                   commit_user_name: Maintenance Bob
diff --git a/.github/workflows/update-pnpm.yml b/.github/workflows/update-pnpm.yml
index f09a10ea..c933ac1d 100644
--- a/.github/workflows/update-pnpm.yml
+++ b/.github/workflows/update-pnpm.yml
@@ -10,9 +10,10 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - name: Checkout repository
-              uses: actions/checkout@v6
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
               with:
                   token: ${{ secrets.MAINTENANCE_TOKEN }}
+                  persist-credentials: false
             - name: Fetch latest pnpm version and update package.json
               run: |
                   LATEST=$(npm view pnpm version)
@@ -34,7 +35,7 @@ jobs:
             - name: Run Tests
               run: just test
             - name: Commit updates
-              uses: stefanzweifel/git-auto-commit-action@v7
+              uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 #v7.1.0
               with:
                   commit_message: Update pnpm dependencies
                   commit_user_name: Maintenance Bob