From 09aa313f057a46e59d572bd27e3f2083f4eaf0d5 Mon Sep 17 00:00:00 2001
From: David Gageot <david.gageot@docker.com>
Date: Tue, 24 Mar 2026 18:13:49 +0100
Subject: [PATCH] Pin GitHub actions

| Action | Status |
|--------|--------|
| actions/checkout | v6.0.1 -> v6.0.2 |
| actions/setup-go | v6.2.0 -> v6.3.0 |
| actions/cache/restore | already pinned |
| actions/cache/save | already pinned |
| actions/cache | v4.2.0 -> v4.2.3 |
| actions/github-script | already pinned |
| docker/login-action | v3.6.0 -> v3.7.0 |
| docker/setup-buildx-action | already pinned |
| docker/metadata-action | already pinned |
| docker/build-push-action | v6.18.0 -> v6.19.0 |
| docker/cagent-action (auto-issue-triage.yml) | pinned |
| docker/cagent-action (nightly-scan.yml) | pinned |
| docker/cagent-action (pr-review.yml) | pinned |
| golangci/golangci-lint-action | v9.1.0 -> v9.2.0 |
| raven-actions/actionlint | v2.1.1 -> v2.1.2 |
| go-task/setup-task | already pinned |
| tibdex/github-app-token | already pinned |

Signed-off-by: David Gageot <david.gageot@docker.com>

Assisted-By: docker-agent
---
 .github/workflows/auto-issue-triage.yml |  4 ++--
 .github/workflows/ci.yml                | 22 +++++++++++-----------
 .github/workflows/nightly-scan.yml      |  8 ++++----
 .github/workflows/pr-review.yml         |  2 +-
 4 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/auto-issue-triage.yml b/.github/workflows/auto-issue-triage.yml
index 1738d7e1a..f0a9b979e 100644
--- a/.github/workflows/auto-issue-triage.yml
+++ b/.github/workflows/auto-issue-triage.yml
@@ -27,7 +27,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1
 
@@ -84,7 +84,7 @@ jobs:
       - name: Run triage agent
         id: agent
         continue-on-error: true
-        uses: docker/cagent-action@latest
+        uses: docker/cagent-action@3a12dbd0c6cd7dda3d4e05f24f0143c9701456de # latest (v1.2.13)
         env:
           GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
         with:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 81ee09b3d..d7f12f011 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -20,21 +20,21 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up Go
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version: "1.26.1"
           cache: true
 
       - name: Lint
-        uses: golangci/golangci-lint-action@e7fa5ac41e1cf5b7d48e45e42232ce7ada589601 # v9.1.0
+        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
         with:
           version: v2.9
 
       - name: Lint GitHub Actions
-        uses: raven-actions/actionlint@e01d1ea33dd6a5ed517d95b4c0c357560ac6f518 # v2.1.1
+        uses: raven-actions/actionlint@205b530c5d9fa8f44ae9ed59f341a0db994aa6f8 # v2.1.2
         with:
           fail-on-error: true
           pyflakes: false
@@ -43,10 +43,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up Go
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version: "1.26.1"
           cache: true
@@ -71,10 +71,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up Go
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version: "1.26.1"
           cache: true
@@ -90,11 +90,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Hub login
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           username: ${{ vars.DOCKERPUBLICBOT_USERNAME }}
           password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }}
@@ -114,7 +114,7 @@ jobs:
             type=ref,event=pr
 
       - name: Build and push image
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@ee4ca427a2f43b6a16632044ca514c076267da23 # v6.19.0
         with:
           context: .
           platforms: linux/amd64,linux/arm64
diff --git a/.github/workflows/nightly-scan.yml b/.github/workflows/nightly-scan.yml
index d19186778..d4d091e42 100644
--- a/.github/workflows/nightly-scan.yml
+++ b/.github/workflows/nightly-scan.yml
@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1
 
@@ -36,7 +36,7 @@ jobs:
         run: mkdir -p "${{ github.workspace }}/.cache"
 
       - name: Restore scanner memory
-        uses: actions/cache/restore@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: ${{ github.workspace }}/.cache/scanner-memory.db
           key: scanner-memory-${{ github.repository }}-${{ github.run_id }}
@@ -53,7 +53,7 @@ jobs:
           private_key: ${{ secrets.CAGENT_REVIEWER_APP_PRIVATE_KEY }}
 
       - name: Run nightly scan
-        uses: docker/cagent-action@latest
+        uses: docker/cagent-action@3a12dbd0c6cd7dda3d4e05f24f0143c9701456de # latest (v1.2.13)
         env:
           GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
         with:
@@ -66,7 +66,7 @@ jobs:
           timeout: 1200
 
       - name: Save scanner memory
-        uses: actions/cache/save@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        uses: actions/cache/save@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         if: always()
         with:
           path: ${{ github.workspace }}/.cache/scanner-memory.db
diff --git a/.github/workflows/pr-review.yml b/.github/workflows/pr-review.yml
index 0510d8845..3c36e5e40 100644
--- a/.github/workflows/pr-review.yml
+++ b/.github/workflows/pr-review.yml
@@ -13,7 +13,7 @@ permissions:
 
 jobs:
   review:
-    uses: docker/cagent-action/.github/workflows/review-pr.yml@latest
+    uses: docker/cagent-action/.github/workflows/review-pr.yml@3a12dbd0c6cd7dda3d4e05f24f0143c9701456de # latest (v1.2.13)
     permissions:
       contents: read
       pull-requests: write