chore(ci): pin third-party GitHub actions to specific commit hashes (#…

…14115) (#14128)

(cherry picked from commit 0a440b6)

.github/workflows/autodocs.yml

@@ -123,7 +123,7 @@ jobs:
           git checkout -b "autodocs-${{ steps.kong-branch.outputs.name }}"
 
       - name: Commit autodoc changes
-        uses: stefanzweifel/git-auto-commit-action@v5
+        uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5
         with:
           repository: "./docs.konghq.com"
           commit_message: "Autodocs update"

.github/workflows/build_and_test.yml

@@ -139,7 +139,7 @@ jobs:
       uses: actions/checkout@v4
 
     - name: Download runtimes file
-      uses: Kong/gh-storage/download@v1
+      uses: Kong/gh-storage/download@b196a6b94032e56e414227c749e9f96a6afc2b91 # v1
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:

.github/workflows/changelog-validation.yml

@@ -12,6 +12,6 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Validate changelogs
-        uses: Kong/gateway-changelog@main
+        uses: Kong/gateway-changelog@bc389e6bcc015b3560c4d1024a3782331602a0f6
         with:
           files: changelog/unreleased/*/*.yml

.github/workflows/label-schema.yml

@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Schema change label found
-      uses: rtCamp/action-slack-notify@v2
+      uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 # v2
       continue-on-error: true
       env:
         SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_SCHEMA_CHANGE }}

.github/workflows/release.yml

@@ -340,7 +340,7 @@ jobs:
 
     - name: Docker meta
       id: meta
-      uses: docker/metadata-action@v5
+      uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5
       env:
         DOCKER_METADATA_PR_HEAD_SHA: true
       with:
@@ -351,10 +351,10 @@ jobs:
 
     - name: Set up QEMU
       if: matrix.docker-platforms != ''
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3
 
     - name: Set platforms
       id: docker_platforms_arg
@@ -380,7 +380,7 @@ jobs:
         echo "rpm_platform=$rpm_platform" >> $GITHUB_OUTPUT
 
     - name: Build Docker Image
-      uses: docker/build-push-action@v5
+      uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
       with:
         file: build/dockerfiles/${{ matrix.package }}.Dockerfile
         context: .
@@ -458,7 +458,7 @@ jobs:
       IMAGE: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}
     steps:
     - name: Install regctl
-      uses: regclient/actions/regctl-installer@main
+      uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183
 
     - name: Login to Docker Hub
       if: ${{ env.HAS_ACCESS_TO_GITHUB_TOKEN }}
@@ -601,7 +601,7 @@ jobs:
 
     - name: Docker meta
       id: meta
-      uses: docker/metadata-action@v5
+      uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5
       with:
         images: ${{ needs.metadata.outputs.docker-repository }}
         sep-tags: " "

.github/workflows/update-test-runtime-statistics.yml

@@ -28,7 +28,7 @@ jobs:
           artifact-name-regexp: "^test-runtime-statistics-\\d+$"
 
       - name: Upload new runtimes file
-        uses: Kong/gh-storage/upload@v1
+        uses: Kong/gh-storage/upload@b196a6b94032e56e414227c749e9f96a6afc2b91 # v1
         env:
           GITHUB_TOKEN: ${{ secrets.PAT }}
         with: