Chore: pin actions by hashes

.github/workflows/__build-workflow.yaml

@@ -85,7 +85,7 @@ jobs:
       prerelease: ${{ steps.semver_parser.outputs.prerelease }}
 
     steps:
-      - uses: mukunku/[email protected]
+      - uses: mukunku/tag-exists-action@bdad1eaa119ce71b150b952c97351c75025c06a9 # v1.6.0
         id: check-tag
         if: ${{ inputs.tag != '' }}
         name: check if tag already exists
@@ -106,7 +106,7 @@ jobs:
       - name: Parse semver string
         id: semver_parser
         if: ${{ inputs.tag != '' }}
-        uses: booxmedialtd/[email protected]
+        uses: booxmedialtd/ws-action-parse-semver@7784200024d6b3fc01253e617ec0168daf603de3 # v1.4.7
         with:
           input_string: ${{ inputs.tag }}
           version_extractor_regex: 'v(.*)$'
@@ -147,14 +147,14 @@ jobs:
 
       - name: Log in to the Container registry
         if: ${{ inputs.push }}
-        uses: docker/[email protected]
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ${{ inputs.registry }}
           username: ${{ inputs.username }}
           password: ${{ secrets.dockerhub-token }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
 
       - name: Add standard tags
         if: ${{ inputs.tag != '' }}
@@ -173,7 +173,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/[email protected]
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
         with:
           images: |
             ${{ inputs.registry }}/${{ inputs.image-name }}
@@ -205,7 +205,7 @@ jobs:
 
       - name: Build image
         id: build
-        uses: docker/[email protected]
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
         with:
           context: .
           build-contexts: ${{ inputs.additional-build-contexts }}
@@ -274,7 +274,7 @@ jobs:
       - name: Configure Git for private repositories (this is needed by repositories that include this workflow and have other private dependencies)
         run: git config --global url."https://${{ secrets.gh-pat }}@github.com".insteadOf "https://github.com"
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
 
       - name: Add standard tags
         if: ${{ inputs.tag != '' }}
@@ -293,7 +293,7 @@ jobs:
 
       - name: Docker metadata
         id: meta
-        uses: docker/[email protected]
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
         with:
           images: |
             ${{ inputs.registry }}/${{ inputs.image-name }}
@@ -310,7 +310,7 @@ jobs:
 
       - name: Log in to the Container registry
         if: ${{ inputs.push }}
-        uses: docker/[email protected]
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ${{ inputs.registry }}
           username: ${{ inputs.username }}
@@ -324,7 +324,7 @@ jobs:
       # When building with `inputs.tag` set, `steps.meta.outputs.tags` contains multiple entries, so it cannot be used
       # directly in sources. Instead, the sources are constructed using the `inputs.registry`, `inputs.image-name` and
       # `needs.semver.outputs.fullversion`.
-      - uses: int128/docker-manifest-create-action@v2
+      - uses: int128/docker-manifest-create-action@736aaa0f6ae97b2fb7f43e8dcef3ab47a02ea96e # v2.8.0
         if: ${{ inputs.tag != '' }}
         with:
           tags: ${{ steps.meta.outputs.tags }}
@@ -335,7 +335,7 @@ jobs:
       # When building on schedule, `steps.meta.outputs.tags` contains multiple entries, so it cannot be used
       # directly in sources. Instead, the sources are constructed using the `inputs.registry`, `inputs.image-name` and
       # the current date.
-      - uses: int128/docker-manifest-create-action@v2
+      - uses: int128/docker-manifest-create-action@736aaa0f6ae97b2fb7f43e8dcef3ab47a02ea96e # v2.8.0
         if: ${{ inputs.tag == '' && github.event_name == 'schedule' }}
         with:
           tags: ${{ steps.meta.outputs.tags }}
@@ -345,7 +345,7 @@ jobs:
 
       # When building on push (e.g. on main), `steps.meta.outputs.tags` contains only a single entry, so it can be used
       # directly in sources.
-      - uses: int128/docker-manifest-create-action@v2
+      - uses: int128/docker-manifest-create-action@736aaa0f6ae97b2fb7f43e8dcef3ab47a02ea96e # v2.8.0
         if: ${{ inputs.tag == '' && github.event_name == 'push' }}
         with:
           tags: ${{ steps.meta.outputs.tags }}

.github/workflows/__release-workflow.yaml

@@ -81,7 +81,7 @@ jobs:
       prerelease: ${{ steps.semver_parser.outputs.prerelease }}
     runs-on: ubuntu-latest
     steps:
-      - uses: mukunku/[email protected]
+      - uses: mukunku/tag-exists-action@bdad1eaa119ce71b150b952c97351c75025c06a9 # v1.6.0
         id: check-tag
         name: Check if tag already exists
         with:
@@ -100,7 +100,7 @@ jobs:
 
       - name: Parse semver string
         id: semver_parser
-        uses: booxmedialtd/[email protected]
+        uses: booxmedialtd/ws-action-parse-semver@7784200024d6b3fc01253e617ec0168daf603de3 # v1.4.7
         with:
           input_string: ${{ inputs.tag }}
           version_extractor_regex: 'v(.*)$'
@@ -143,7 +143,7 @@ jobs:
         with:
           go-version-file: go.mod
 
-      - uses: jdx/mise-action@v2
+      - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11
         with:
           install: false
 
@@ -161,7 +161,7 @@ jobs:
       - name: Get Kong Enterprise License
         if: steps.check-op-service-account-token.outputs.provided == 'true'
         id: get-license
-        uses: Kong/kong-license@master
+        uses: Kong/kong-license@c4decf08584f84ff8fe8e7cd3c463e0192f6111b # master in 20250107
         with:
           # OP (1Password) token is used to fetch the Kong Enterprise License from 1Password.
           op-token: ${{ secrets.op-service-account-token }}
@@ -201,7 +201,7 @@ jobs:
         with:
           go-version-file: go.mod
 
-      - uses: jdx/mise-action@v2
+      - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11
         with:
           install: false
 
@@ -219,7 +219,7 @@ jobs:
       - name: Get Kong Enterprise License
         if: steps.check-op-service-account-token.outputs.provided == 'true'
         id: get-license
-        uses: Kong/kong-license@master
+        uses: Kong/kong-license@c4decf08584f84ff8fe8e7cd3c463e0192f6111b # master in 20250107
         with:
           # OP (1Password) token is used to fetch the Kong Enterprise License from 1Password.
           op-token: ${{ secrets.op-service-account-token }}
@@ -284,7 +284,7 @@ jobs:
           echo "VERSION=${VERSION}" >> $GITHUB_ENV
           echo ${VERSION} > VERSION
 
-      - uses: jdx/mise-action@v2
+      - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11
         with:
           install: false
 
@@ -302,7 +302,7 @@ jobs:
         run: make bundle
 
       - name: GPG sign the commits
-        uses: crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5
+        uses: crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5 # v6.2.0
         with:
           gpg_private_key: ${{ secrets.gpg-private-key }}
           passphrase: ${{ secrets.gpg-passphrase }}
@@ -317,7 +317,7 @@ jobs:
 
       # PRs will update the version file and manifests
       - name: Create a release PR
-        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.6
         with:
           token: ${{ secrets.gh-pat }}
           path: .

.github/workflows/release-bot.yaml

@@ -64,13 +64,13 @@ jobs:
 
       - name: Parse semver string
         id: semver_parser
-        uses: booxmedialtd/[email protected]
+        uses: booxmedialtd/ws-action-parse-semver@7784200024d6b3fc01253e617ec0168daf603de3 # v1.4.7
         with:
           input_string: ${{ env.VERSION }}
           version_extractor_regex: '(.*)$'
 
       - name: check if tag already exists
-        uses: mukunku/[email protected]
+        uses: mukunku/tag-exists-action@bdad1eaa119ce71b150b952c97351c75025c06a9 # v1.6.0
         id: tag_exists
         with:
           tag: ${{ steps.commit_parser.outputs.release_version }}
@@ -88,7 +88,7 @@ jobs:
     if: ${{ needs.look_for_release.outputs.release_found == 'true' }}
     runs-on: ubuntu-latest
     steps:
-      - uses: ncipollo/release-action@v1
+      - uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
         with:
           body: |
             #### Download Kong Gateway Operator ${{ needs.semver.outputs.version }}:
@@ -117,7 +117,7 @@ jobs:
     if: ${{ needs.look_for_release.outputs.release_found == 'true' && needs.semver.outputs.patch == '0' && needs.semver.outputs.prerelease == '' }}
     runs-on: ubuntu-latest
     steps:
-      - uses: peterjgrainger/[email protected]
+      - uses: peterjgrainger/action-create-branch@10c7d268152480ae859347db45dc69086cef1d9c # v3.0.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -136,7 +136,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - uses: carloscastrojumo/[email protected]
+      - uses: carloscastrojumo/github-cherry-pick-action@503773289f4a459069c832dc628826685b75b4b3 # v1.0.10
         with:
           branch: main
           title: '[cherry-pick] ${{ needs.semver.outputs.version }} - ${{ github.sha }}'

.github/workflows/tests.yaml

@@ -32,7 +32,7 @@ jobs:
       with:
         go-version-file: go.mod
 
-    - uses: jdx/mise-action@v2
+    - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11
       with:
         install: false
 
@@ -53,15 +53,15 @@ jobs:
       with:
         go-version-file: go.mod
 
-    - uses: jdx/mise-action@v2
+    - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11
       with:
         install: false
 
     - name: Verify manifests consistency
       run: make verify.manifests
 
     - name: Verify generators consistency
-      uses: nick-fields/retry@v3
+      uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 
       with:
         timeout_minutes: 3
         max_attempts: 3
@@ -79,9 +79,9 @@ jobs:
         go-version-file: go.mod
 
     - name: Create k8s KinD Cluster
-      uses: helm/[email protected]
+      uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
 
-    - uses: jdx/mise-action@v2
+    - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11
       with:
         install: false
 
@@ -108,9 +108,9 @@ jobs:
         go-version-file: go.mod
 
     - name: Create k8s KinD Cluster
-      uses: helm/[email protected]
+      uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
 
-    - uses: jdx/mise-action@v2
+    - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11
       with:
         install: false
 
@@ -152,7 +152,7 @@ jobs:
       with:
         go-version-file: go.mod
 
-    - uses: jdx/mise-action@v2
+    - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11
       with:
         install: false
 
@@ -186,7 +186,7 @@ jobs:
       with:
         go-version-file: go.mod
 
-    - uses: jdx/mise-action@v2
+    - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11
       with:
         install: false
 
@@ -228,7 +228,7 @@ jobs:
       with:
         go-version-file: go.mod
 
-    - uses: jdx/mise-action@v2
+    - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11
       with:
         install: false
 
@@ -277,7 +277,7 @@ jobs:
       with:
         go-version-file: go.mod
 
-    - uses: jdx/mise-action@v2
+    - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11
       with:
         install: false
 
@@ -332,7 +332,7 @@ jobs:
       with:
         go-version-file: go.mod
 
-    - uses: jdx/mise-action@v2
+    - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11
       with:
         install: false
 
@@ -382,7 +382,7 @@ jobs:
       with:
         go-version-file: go.mod
 
-    - uses: jdx/mise-action@v2
+    - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11
       with:
         install: false
 
@@ -435,7 +435,7 @@ jobs:
         TAG: e2e-${{ github.sha }}
       run: make docker.build
 
-    - uses: jdx/mise-action@v2
+    - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11
       with:
         install: false
 
@@ -484,7 +484,7 @@ jobs:
 
       - name: Upload test results to BuildPulse for flaky test detection
         if: ${{ !cancelled() }}
-        uses: buildpulse/[email protected]
+        uses: buildpulse/buildpulse-action@d4d8e00c645a2e3db0419a43664bbcf868080234 # v0.12.0
         with:
           account: 962416
           repository: 477814940