chore(deps): pin dependencies

Author: renovate[bot]

.github/workflows/api-check.yml

@@ -20,7 +20,7 @@ jobs:
       OS_DOMAIN: apps.silver.devops.gov.bc.ca
       GTW_DOMAIN: api.gov.bc.ca
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: Postman Smoke Test on API Gateway
         uses: matt-ball/newman-action@master

.github/workflows/merge.yml

@@ -41,7 +41,7 @@ jobs:
     environment:
       name: test
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - name: Deploys
         uses: bcgov/action-deployer-openshift@d972993c70aba88e4f2fe66a66c4b7149fa9fcad # v4.0.0
         with:
@@ -84,7 +84,7 @@ jobs:
     environment:
       name: prod
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: Deploys
         uses: bcgov/action-deployer-openshift@d972993c70aba88e4f2fe66a66c4b7149fa9fcad # v4.0.0

.github/workflows/pr-open.yml

@@ -20,10 +20,10 @@ jobs:
     outputs:
       semver: ${{ steps.changelog.outputs.tag }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: Pull request size and stability labels
-        uses: actions/labeler@v6
+        uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6
         continue-on-error: true
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
@@ -145,7 +145,7 @@ jobs:
       checks: write
       pull-requests: write
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - name: API Health check
         uses: matt-ball/newman-action@master
         with:

.github/workflows/reusable-tests-be.yml

@@ -28,7 +28,7 @@ jobs:
 
       - name: Archive CycloneDX
         continue-on-error: true
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: cyclone-backend
           path: target/bom.json

.github/workflows/reusable-tests-repo.yml

@@ -9,7 +9,7 @@ jobs:
     if: github.event_name != 'pull_request' || !github.event.pull_request.draft
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - name: Run Trivy vulnerability scanner in repo mode
         uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
         with:
@@ -21,7 +21,7 @@ jobs:
           severity: "CRITICAL,HIGH"
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3
         with:
           sarif_file: "trivy-results.sarif"
 
@@ -33,14 +33,14 @@ jobs:
       contents: read
       security-events: write
     steps:
-      - uses: actions/checkout@v5
-      - uses: github/codeql-action/init@v3
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3 # v3
         with:
           languages: javascript,java
 
       # Autobuild failed for Java, so building manually
       - name: Set up JDK 17 and Caching maven dependencies
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5
         with:
           distribution: "temurin"
           java-version: "17"
@@ -51,4 +51,4 @@ jobs:
         run: ./mvnw clean package
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # v3