naviteq · DovnarAlexander · Mar 27, 2026 · Mar 27, 2026 · Mar 27, 2026
diff --git a/.github/workflows/create-release.yaml b/.github/workflows/create-release.yaml
@@ -30,6 +30,39 @@ jobs:
         with:
           github_token: ${{ steps.app-token.outputs.token }}
 
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          fetch-depth: 0
+
+      - name: Pin self reusable references to released SHA
+        env:
+          RELEASE_TAG: ${{ steps.tag_version.outputs.new_tag }}
+        run: |
+          set -euo pipefail
+
+          RELEASE_SHA="$(git rev-list -n 1 "$RELEASE_TAG")"
+          echo "Pinning naviteq/github-actions reusable references to $RELEASE_SHA"
+
+          FILES=(
+            ".github/workflows/security-scan.yml"
+            ".github/workflows/helm-release-github.yaml"
+            ".github/workflows/helm-release-gar.yaml"
+            ".github/workflows/helm-release-ecr.yaml"
+          )
+
+          for file in "${FILES[@]}"; do
+            perl -i -pe "s#(uses:\\s+naviteq/github-actions/.+?)@[[:alnum:]._-]+#\$1\\@${RELEASE_SHA}#g" "$file"
+          done
+
+      - name: Commit pinned self references
+        uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7
+        with:
+          branch: ${{ github.ref_name }}
+          commit_message: "chore: pin self reusable references to ${{ steps.tag_version.outputs.new_tag }} SHA [skip ci]"
+          file_pattern: ".github/workflows/security-scan.yml .github/workflows/helm-release-github.yaml .github/workflows/helm-release-gar.yaml .github/workflows/helm-release-ecr.yaml"
+
       - name: Create a GitHub release
         uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1
         with:

diff --git a/.github/workflows/helm-release-ecr.yaml b/.github/workflows/helm-release-ecr.yaml
@@ -134,7 +134,7 @@ jobs:
 
       - name: Run OCI core
         id: core
-        uses: naviteq/github-actions/.github/actions/helm-release-oci@main
+        uses: naviteq/github-actions/.github/actions/helm-release-oci@b22353195d721a9b081039be12ec0ebb038dbe8c
         with:
           chart_path: ${{ inputs.chart_path }}
           oci_registry: ${{ inputs.ecr_registry }}

diff --git a/.github/workflows/helm-release-gar.yaml b/.github/workflows/helm-release-gar.yaml
@@ -139,7 +139,7 @@ jobs:
 
       - name: Run OCI core
         id: core
-        uses: naviteq/github-actions/.github/actions/helm-release-oci@main
+        uses: naviteq/github-actions/.github/actions/helm-release-oci@b22353195d721a9b081039be12ec0ebb038dbe8c
         with:
           chart_path: ${{ inputs.chart_path }}
           oci_registry: ${{ inputs.gar_registry }}

diff --git a/.github/workflows/helm-release-github.yaml b/.github/workflows/helm-release-github.yaml
@@ -113,7 +113,7 @@ jobs:
 
       - name: Run OCI core
         id: core
-        uses: naviteq/github-actions/.github/actions/helm-release-oci@main
+        uses: naviteq/github-actions/.github/actions/helm-release-oci@b22353195d721a9b081039be12ec0ebb038dbe8c
         with:
           chart_path: ${{ inputs.chart_path }}
           oci_registry: ${{ inputs.ghcr_registry }}

diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
@@ -98,27 +98,27 @@ permissions:
 jobs:
   codeql:
     name: CodeQL
-    uses: naviteq/github-actions/.github/workflows/security-codeql.yml@main
+    uses: naviteq/github-actions/.github/workflows/security-codeql.yml@b22353195d721a9b081039be12ec0ebb038dbe8c
     with:
       RUNNER: ${{ inputs.codeql_runner != '' && inputs.codeql_runner || inputs.runner }}
       language: ${{ inputs.codeql_language }}
 
   dependency-review:
     name: Dependency Review
     if: ${{ github.event_name == 'pull_request' || github.event_name == 'pull_request_target' || github.event_name == 'merge_group' }}
-    uses: naviteq/github-actions/.github/workflows/security-dependency-review.yml@main
+    uses: naviteq/github-actions/.github/workflows/security-dependency-review.yml@b22353195d721a9b081039be12ec0ebb038dbe8c
     with:
       RUNNER: ${{ inputs.dependency_review_runner != '' && inputs.dependency_review_runner || inputs.runner }}
 
   gitleaks:
     name: Gitleaks
-    uses: naviteq/github-actions/.github/workflows/security-gitleaks.yml@main
+    uses: naviteq/github-actions/.github/workflows/security-gitleaks.yml@b22353195d721a9b081039be12ec0ebb038dbe8c
     with:
       RUNNER: ${{ inputs.gitleaks_runner != '' && inputs.gitleaks_runner || inputs.runner }}
 
   trivy:
     name: Trivy
-    uses: naviteq/github-actions/.github/workflows/security-trivy.yml@main
+    uses: naviteq/github-actions/.github/workflows/security-trivy.yml@b22353195d721a9b081039be12ec0ebb038dbe8c
     with:
       RUNNER: ${{ inputs.trivy_runner != '' && inputs.trivy_runner || inputs.runner }}
       scan_type: ${{ inputs.trivy_scan_type }}
@@ -131,7 +131,7 @@ jobs:
 
   checkov:
     name: Checkov
-    uses: naviteq/github-actions/.github/workflows/security-checkov.yaml@main
+    uses: naviteq/github-actions/.github/workflows/security-checkov.yaml@b22353195d721a9b081039be12ec0ebb038dbe8c
     with:
       RUNNER: ${{ inputs.checkov_runner != '' && inputs.checkov_runner || inputs.runner }}
       directory: ${{ inputs.checkov_directory }}

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -4,3 +4,10 @@ repos:
     rev: v1.7.11 # https://github.com/rhysd/actionlint/blob/v1.7.11/docs/install.md
     hooks:
       - id: actionlint-system
+  - repo: local
+    hooks:
+      - id: pin-self-action-shas
+        name: Pin self action references to current SHA
+        entry: scripts/pin-self-action-shas.sh
+        language: script
+        files: ^\.github/(workflows/.*\.ya?ml|actions/.*/action\.ya?ml)$
diff --git a/scripts/pin-self-action-shas.sh b/scripts/pin-self-action-shas.sh
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+REPO_ROOT="$(git rev-parse --show-toplevel)"
+CURRENT_SHA="$(git rev-parse HEAD)"
+TARGET_PREFIX="naviteq/github-actions/"
+
+cd "$REPO_ROOT"
+
+if [[ "$#" -eq 0 ]]; then
+  exit 0
+fi
+
+for file in "$@"; do
+  [[ -f "$file" ]] || continue
+
+  # Only touch workflow/action YAML files where uses: entries are expected.
+  case "$file" in
+    .github/workflows/*.yml|.github/workflows/*.yaml|.github/actions/*/action.yml|.github/actions/*/action.yaml)
+      ;;
+    *)
+      continue
+      ;;
+  esac
+
+  perl -i -pe "s#(uses:\\s+${TARGET_PREFIX}.+?)@[[:alnum:]._-]+#\$1\\@${CURRENT_SHA}#g" "$file"
+done