From b4e2cf230927d4ffdb173e91f64c9b52d1c9fe12 Mon Sep 17 00:00:00 2001
From: "Peter A. Jonsson" <jonsson.peter.a@gmail.com>
Date: Mon, 8 Sep 2025 09:20:07 +0200
Subject: [PATCH] CI: update+pin actions by hash

---
 .github/workflows/create-new-tag.yml      |  4 ++--
 .github/workflows/main.yml                | 12 ++++++------
 .github/workflows/publish-new-version.yml | 10 +++++-----
 .github/workflows/statistician-dive.yml   |  6 +++---
 .github/workflows/statistician-image.yml  | 16 ++++++++--------
 5 files changed, 24 insertions(+), 24 deletions(-)

diff --git a/.github/workflows/create-new-tag.yml b/.github/workflows/create-new-tag.yml
index c823a39d..6968b6e7 100644
--- a/.github/workflows/create-new-tag.yml
+++ b/.github/workflows/create-new-tag.yml
@@ -12,7 +12,7 @@ jobs:
   bump_version:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 2
 
@@ -23,7 +23,7 @@ jobs:
 
       - name: Patch Package Versions when code change.
         id: patch-version
-        uses: anothrNick/github-tag-action@v1
+        uses: anothrNick/github-tag-action@4ed44965e0db8dab2b466a16da04aec3cc312fd8 # 1.75.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           DEFAULT_BUMP: patch
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 3f7328ba..2d044de4 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -29,18 +29,18 @@ jobs:
         && github.event.workflow_run.conclusion == 'success')
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
 
-      - uses: actions/cache@v4
+      - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         id: wheels_cache
         with:
           path: ./wheels
           key: wheels-${{ github.sha }}
 
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: "3.10"
 
@@ -82,7 +82,7 @@ jobs:
       - build-wheels
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Install Dependencies
         shell: bash
@@ -98,7 +98,7 @@ jobs:
           pip freeze
 
       - name: Get Wheels from Cache
-        uses: actions/cache@v4
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         id: wheels_cache
         with:
           path: ./wheels
@@ -147,7 +147,7 @@ jobs:
         if: |
           github.repository == 'opendatacube/odc-stats'
 
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           fail_ci_if_error: false
diff --git a/.github/workflows/publish-new-version.yml b/.github/workflows/publish-new-version.yml
index b4b8aadf..e6d9d1bb 100644
--- a/.github/workflows/publish-new-version.yml
+++ b/.github/workflows/publish-new-version.yml
@@ -14,15 +14,15 @@ jobs:
         && github.event.workflow_run.conclusion == 'success'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/cache@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         id: wheels_cache
         with:
           path: ./wheels
           key: wheels-${{ github.sha }}
 
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: "3.10"
 
@@ -51,8 +51,8 @@ jobs:
         && github.event.workflow_run.conclusion == 'success'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/cache@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         id: wheels_cache
         with:
           path: ./wheels
diff --git a/.github/workflows/statistician-dive.yml b/.github/workflows/statistician-dive.yml
index 2fd5d3e9..b8953f1e 100644
--- a/.github/workflows/statistician-dive.yml
+++ b/.github/workflows/statistician-dive.yml
@@ -26,10 +26,10 @@ jobs:
     name: Analyze image efficiency
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: lint
-        uses: luke142367/Docker-Lint-Action@v1.1.1
+        uses: luke142367/Docker-Lint-Action@5c4c86226f39785a66827bbc2e322600c9afa3a9 # v1.1.1
         with:
           target: docker/Dockerfile
         env:
@@ -47,7 +47,7 @@ jobs:
           wagoodman/dive:v0.12.0  --ci-config /.dive-ci ${ORG}/${IMAGE}:_build
 
       - name: Docker image size check
-        uses: wemake-services/docker-image-size-limit@2.0.0
+        uses: wemake-services/docker-image-size-limit@cbc4fff807e8d490ec7d808c52991387649ffa65 # 2.1.0
         with:
           image: ${{ env.ORG }}/${{ env.IMAGE}}:_build
           size: "3 GiB"
diff --git a/.github/workflows/statistician-image.yml b/.github/workflows/statistician-image.yml
index 85a3855c..cc2b2996 100644
--- a/.github/workflows/statistician-image.yml
+++ b/.github/workflows/statistician-image.yml
@@ -31,10 +31,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: lint Dockerfile
-        uses: hadolint/hadolint-action@v2.0.0
+        uses: hadolint/hadolint-action@3fc49fb50d59c6ab7917a2e4195dba633e515b29 # v3.2.0
         with:
           dockerfile: docker/Dockerfile
           ignore: DL3008,DL3002,DL3013,DL3059,SC2102
@@ -59,7 +59,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Build a new docker image with tag
         id: tag-image
@@ -76,16 +76,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
         with:
           role-to-assume: arn:aws:iam::538673716275:role/github-actions-role
           aws-region: ap-southeast-2
 
       - name: Push image to ECR
-        uses: whoan/docker-build-with-cache-action@master
+        uses: whoan/docker-build-with-cache-action@d8d3ad518e7ac382b880720d0751815e656fe032 # v8.1.0
         with:
           context: ./docker
           registry: 538673716275.dkr.ecr.ap-southeast-2.amazonaws.com
@@ -101,10 +101,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Push image to ghcr
-        uses: whoan/docker-build-with-cache-action@master
+        uses: whoan/docker-build-with-cache-action@d8d3ad518e7ac382b880720d0751815e656fe032 # v8.1.0
         with:
           context: ./docker
           registry: ghcr.io