Pin GitHub Actions to digests and add 1-day Renovate quarantine

[BergCyrill]

Solves #55

Additional adds a quarantine for non-vulnerable bumps to 1 day.
Renovate config edited to use digest pinning for GitHub Actions.

Summary by CodeRabbit

• Chores
  • Enhanced CI/CD security and reproducibility by pinning GitHub Actions to specific commit versions in Docker build, Go testing, and Helm workflows.
  • Updated build configuration to support automatic GitHub Action digest pinning going forward.
  • Improved supply chain security and build process consistency across all deployment pipelines.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR pins GitHub Actions to specific commit SHAs across four CI/CD workflows and configures Renovate to automatically manage these pinned digests. All workflows continue executing their existing logic; only the action references are pinned for supply chain security and reproducibility.

Changes

GitHub Actions Security Pinning

Layer / File(s)	Summary
Renovate Configuration renovate.json	Adds helpers:pinGitHubActionDigests preset to enable Renovate to automatically manage GitHub Action digest pins.
Docker Workflow Pinning .github/workflows/docker.yaml	Pins actions/checkout, docker/metadata-action, Docker build steps (QEMU, buildx, login, build-push), sigstore/cosign-installer, and SBOM/attestation actions to commit SHAs.
Go Workflow Pinning .github/workflows/golang.yaml	Pins actions/checkout, actions/setup-go, and golangci/golangci-lint-action to commit SHAs in both lint and test jobs.
Helm Workflows Pinning .github/workflows/helm-lint.yaml, .github/workflows/helm-publish.yaml	Pins actions/checkout, actions/setup-go, sigstore/cosign-installer, and docker/login-action to commit SHAs across Helm lint and publish workflows.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related issues

• Pin GitHub Actions to SHA digests #55: Directly addresses pinning GitHub Actions to commit SHA digests across the same workflow files (docker.yaml, golang.yaml, helm-lint.yaml, helm-publish.yaml) and renovate.json configuration.
• Dependency Dashboard #3: Related through shared workflow and dependency management files; the Renovate configuration in this PR ensures the Actions pinned across these workflows can be automatically maintained.

Poem

🐰 A rabbit hops through workflows bright,
Pinning actions, holding them tight!
SHA by SHA, secure and sound,
No floating tags can break this ground! 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: pinning GitHub Actions to digests and configuring Renovate with a quarantine period.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/pin-actions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@renovate.json`:
- Around line 4-8: The OSV alerts setting currently won't bypass the 1-day
quarantine because osV-specific behavior ignores the top-level
minimumReleaseAge; add an explicit osvVulnerabilityAlerts block in renovate.json
(symbol: osvVulnerabilityAlerts) with minimumReleaseAge: "0" to allow OSV
vulnerability PRs to be created immediately, or alternatively remove/adjust the
global minimumReleaseAge if you prefer a different policy; update the Renovate
config where vulnerabilityAlerts and minimumReleaseAge are defined to include
this new block.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3337c08c-b104-4121-b04b-3529487b3e91

📥 Commits

Reviewing files that changed from the base of the PR and between 1fb2920 and 8c2c3f3.

📒 Files selected for processing (5)

• .github/workflows/docker.yaml
• .github/workflows/golang.yaml
• .github/workflows/helm-lint.yaml
• .github/workflows/helm-publish.yaml
• renovate.json

[Perseus985]

Checked the Shas myself. LGTM