feat(ci): pin all github action versions

.github/workflows/main.yml

@@ -20,15 +20,15 @@ jobs:
 
     steps:
       - name: Install Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # tag=v3.0.0
         with:
           go-version: ${{ matrix.go-version }}
 
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
 
       # cache go modules
-      - uses: actions/cache@v2
+      - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed # tag=v2.1.7
         with:
           # In order:
           # * Module download cache

.github/workflows/release.yaml

@@ -3,7 +3,7 @@ name: Release
 on:
   push:
     tags:
-      - '*'
+      - "*"
 
 permissions: read-all
 
@@ -22,7 +22,7 @@ jobs:
         uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # tag=v3.0.0
         with:
           go-version: 1.17
-      - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed # renovate: tag=v2.1.7
+      - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed # tag=v2.1.7
         with:
           path: |
             ~/.cache/go-build
@@ -31,9 +31,9 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-go-
       - uses: sigstore/cosign-installer@179e0f15e70e22ca2e7254fc12d68a9fbab35614 # tag=v2.0.1
-      - uses: anchore/sbom-action/download-syft@3626d7d7b13e87ee6c6f9ded3940dea05a3967bc # renovate: tag=v0.6.0
+      - uses: anchore/sbom-action/download-syft@3626d7d7b13e87ee6c6f9ded3940dea05a3967bc # tag=v0.6.0
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@79d4afbba1b4eff8b9a98e3d2e58c4dbaf094e2b # renovate: tag=v2.8.1
+        uses: goreleaser/goreleaser-action@79d4afbba1b4eff8b9a98e3d2e58c4dbaf094e2b # tag=v2.8.1
         with:
           version: latest
           args: release --rm-dist

.github/workflows/semgrep.yml

@@ -16,7 +16,7 @@ jobs:
     if: (github.actor != 'dependabot[bot]')
     steps:
       # Fetch project source
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
 
       - uses: returntocorp/semgrep-action@v1
         with:
@@ -29,19 +29,18 @@ jobs:
             p/docker
             p/dockerfile
             p/command-injection
-        # == Optional settings in the `with:` block
-
-        # Instead of `config:`, use rules set in Semgrep App.
-        # Get your credentials from semgrep.dev/manage/settings.
-        #   publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }}
-        #   publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}
-
-        # Never fail the build due to findings on pushes.
-        # Instead, just collect findings for semgrep.dev/manage/findings
-        #   auditOn: push
-
-        # Upload findings to GitHub Advanced Security Dashboard [step 1/2]
-        # See also the next step.
+          # == Optional settings in the `with:` block
+          # Instead of `config:`, use rules set in Semgrep App.
+          # Get your credentials from semgrep.dev/manage/settings.
+          #   publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }}
+          #   publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}
+
+          # Never fail the build due to findings on pushes.
+          # Instead, just collect findings for semgrep.dev/manage/findings
+          #   auditOn: push
+
+          # Upload findings to GitHub Advanced Security Dashboard [step 1/2]
+          # See also the next step.
           generateSarif: "1"
 
         # Change job timeout (default is 1800 seconds; set to 0 to disable)
@@ -50,7 +49,7 @@ jobs:
 
       # Upload findings to GitHub Advanced Security Dashboard [step 2/2]
       - name: Upload SARIF file for GitHub Advanced Security Dashboard
-        uses: github/codeql-action/upload-sarif@v1
+        uses: github/codeql-action/upload-sarif@75f07e7ab2ee63cba88752d8c696324e4df67466 # tag=v1.1.3
         with:
           sarif_file: semgrep.sarif
         if: always()