feat(sec): added process to auto-pin internal actions as well

DovnarAlexander · DovnarAlexander · commit 7cf46127ac9e · 2026-03-27T10:41:32.000+03:00
diff --git a/.github/workflows/create-release.yaml b/.github/workflows/create-release.yaml
@@ -30,6 +30,39 @@ jobs:
         with:
           github_token: ${{ steps.app-token.outputs.token }}
 
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          fetch-depth: 0
+
+      - name: Pin self reusable references to released SHA
+        env:
+          RELEASE_TAG: ${{ steps.tag_version.outputs.new_tag }}
+        run: |
+          set -euo pipefail
+
+          RELEASE_SHA="$(git rev-list -n 1 "$RELEASE_TAG")"
+          echo "Pinning naviteq/github-actions reusable references to $RELEASE_SHA"
+
+          FILES=(
+            ".github/workflows/security-scan.yml"
+            ".github/workflows/helm-release-github.yaml"
+            ".github/workflows/helm-release-gar.yaml"
+            ".github/workflows/helm-release-ecr.yaml"
+          )
+
+          for file in "${FILES[@]}"; do
+            perl -i -pe "s#(uses:\\s+naviteq/github-actions/.+?)@[[:alnum:]._-]+#\$1@${RELEASE_SHA}#g" "$file"
+          done
+
+      - name: Commit pinned self references
+        uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7
+        with:
+          branch: ${{ github.ref_name }}
+          commit_message: "chore: pin self reusable references to ${{ steps.tag_version.outputs.new_tag }} SHA [skip ci]"
+          file_pattern: ".github/workflows/security-scan.yml .github/workflows/helm-release-github.yaml .github/workflows/helm-release-gar.yaml .github/workflows/helm-release-ecr.yaml"
+
       - name: Create a GitHub release
         uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1
         with:
diff --git a/.github/workflows/helm-release-ecr.yaml b/.github/workflows/helm-release-ecr.yaml
@@ -134,7 +134,7 @@ jobs:
 
       - name: Run OCI core
         id: core
-        uses: naviteq/github-actions/.github/actions/helm-release-oci@main
+        uses: naviteq/github-actions/.github/actions/helm-release-oci@1782c15d239e5f8cd87e89706fd4be71a32f88fe
         with:
           chart_path: ${{ inputs.chart_path }}
           oci_registry: ${{ inputs.ecr_registry }}
diff --git a/.github/workflows/helm-release-gar.yaml b/.github/workflows/helm-release-gar.yaml
@@ -139,7 +139,7 @@ jobs:
 
       - name: Run OCI core
         id: core
-        uses: naviteq/github-actions/.github/actions/helm-release-oci@main
+        uses: naviteq/github-actions/.github/actions/helm-release-oci@1782c15d239e5f8cd87e89706fd4be71a32f88fe
         with:
           chart_path: ${{ inputs.chart_path }}
           oci_registry: ${{ inputs.gar_registry }}
diff --git a/.github/workflows/helm-release-github.yaml b/.github/workflows/helm-release-github.yaml
@@ -113,7 +113,7 @@ jobs:
 
       - name: Run OCI core
         id: core
-        uses: naviteq/github-actions/.github/actions/helm-release-oci@main
+        uses: naviteq/github-actions/.github/actions/helm-release-oci@1782c15d239e5f8cd87e89706fd4be71a32f88fe
         with:
           chart_path: ${{ inputs.chart_path }}
           oci_registry: ${{ inputs.ghcr_registry }}
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
@@ -98,27 +98,27 @@ permissions:
 jobs:
   codeql:
     name: CodeQL
-    uses: naviteq/github-actions/.github/workflows/security-codeql.yml@main
+    uses: naviteq/github-actions/.github/workflows/security-codeql.yml@1782c15d239e5f8cd87e89706fd4be71a32f88fe
     with:
       RUNNER: ${{ inputs.codeql_runner != '' && inputs.codeql_runner || inputs.runner }}
       language: ${{ inputs.codeql_language }}
 
   dependency-review:
     name: Dependency Review
     if: ${{ github.event_name == 'pull_request' || github.event_name == 'pull_request_target' || github.event_name == 'merge_group' }}
-    uses: naviteq/github-actions/.github/workflows/security-dependency-review.yml@main
+    uses: naviteq/github-actions/.github/workflows/security-dependency-review.yml@1782c15d239e5f8cd87e89706fd4be71a32f88fe
     with:
       RUNNER: ${{ inputs.dependency_review_runner != '' && inputs.dependency_review_runner || inputs.runner }}
 
   gitleaks:
     name: Gitleaks
-    uses: naviteq/github-actions/.github/workflows/security-gitleaks.yml@main
+    uses: naviteq/github-actions/.github/workflows/security-gitleaks.yml@1782c15d239e5f8cd87e89706fd4be71a32f88fe
     with:
       RUNNER: ${{ inputs.gitleaks_runner != '' && inputs.gitleaks_runner || inputs.runner }}
 
   trivy:
     name: Trivy
-    uses: naviteq/github-actions/.github/workflows/security-trivy.yml@main
+    uses: naviteq/github-actions/.github/workflows/security-trivy.yml@1782c15d239e5f8cd87e89706fd4be71a32f88fe
     with:
       RUNNER: ${{ inputs.trivy_runner != '' && inputs.trivy_runner || inputs.runner }}
       scan_type: ${{ inputs.trivy_scan_type }}
@@ -131,7 +131,7 @@ jobs:
 
   checkov:
     name: Checkov
-    uses: naviteq/github-actions/.github/workflows/security-checkov.yaml@main
+    uses: naviteq/github-actions/.github/workflows/security-checkov.yaml@1782c15d239e5f8cd87e89706fd4be71a32f88fe
     with:
       RUNNER: ${{ inputs.checkov_runner != '' && inputs.checkov_runner || inputs.runner }}
       directory: ${{ inputs.checkov_directory }}
