ci: pin GitHub Actions to commit SHAs and add pinact

.github/workflows/publish.yaml

@@ -19,7 +19,7 @@ jobs:
       new-version: ${{ steps.check.outputs.new_version }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           fetch-tags: true
           fetch-depth: 0
@@ -74,17 +74,17 @@ jobs:
             nix_package: sysdig-mcp-server-image-aarch64
     steps:
       - name: Check out the repo
-        uses: actions/checkout@v5
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Install Nix
         # Pinned to v21 commit SHA for supply-chain safety.
         # To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git <tag>
-        uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21
+        uses: DeterminateSystems/nix-installer-action@ef8a148080ab6020fd15196c2084a2eea5ff2d25 # v22
 
       - name: Enable Nix cache
         # Pinned to v13 commit SHA for supply-chain safety.
         # To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git <tag>
-        uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13
+        uses: DeterminateSystems/magic-nix-cache-action@908b263ff629f4cc17666315b7fd3ec127c6244d # v14
         with:
           use-flakehub: false
 
@@ -97,18 +97,18 @@ jobs:
           echo "FROM base" > /tmp/Dockerfile.push
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
 
       - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Push image by digest
         id: push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
         with:
           file: /tmp/Dockerfile.push
           build-contexts: |
@@ -124,7 +124,7 @@ jobs:
           touch "/tmp/digests/${digest#sha256:}"
 
       - name: Upload digest
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: digests-${{ matrix.arch }}
           path: /tmp/digests/*
@@ -142,17 +142,17 @@ jobs:
       REGISTRY: ghcr.io/sysdiglabs/sysdig-mcp-server
     steps:
       - name: Download digests
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           path: /tmp/digests
           pattern: digests-*
           merge-multiple: true
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
 
       - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -197,17 +197,17 @@ jobs:
           - { goos: windows, goarch: "386", ext: zip }
     steps:
       - name: Check out the repo
-        uses: actions/checkout@v5
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Install Nix
         # Pinned to v21 commit SHA for supply-chain safety.
         # To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git <tag>
-        uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21
+        uses: DeterminateSystems/nix-installer-action@ef8a148080ab6020fd15196c2084a2eea5ff2d25 # v22
 
       - name: Enable Nix cache
         # Pinned to v13 commit SHA for supply-chain safety.
         # To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git <tag>
-        uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13
+        uses: DeterminateSystems/magic-nix-cache-action@908b263ff629f4cc17666315b7fd3ec127c6244d # v14
         with:
           use-flakehub: false
 
@@ -226,7 +226,7 @@ jobs:
           fi
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: binary-${{ matrix.goos }}-${{ matrix.goarch }}
           path: sysdig-mcp-server_${{ matrix.goos }}-${{ matrix.goarch }}.${{ matrix.ext }}
@@ -241,20 +241,20 @@ jobs:
     permissions:
       contents: write # Required for release creation
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           fetch-depth: 0
           fetch-tags: true
 
       - name: Install Nix
         # Pinned to v21 commit SHA for supply-chain safety.
         # To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git <tag>
-        uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21
+        uses: DeterminateSystems/nix-installer-action@ef8a148080ab6020fd15196c2084a2eea5ff2d25 # v22
 
       - name: Enable Nix cache
         # Pinned to v13 commit SHA for supply-chain safety.
         # To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git <tag>
-        uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13
+        uses: DeterminateSystems/magic-nix-cache-action@908b263ff629f4cc17666315b7fd3ec127c6244d # v14
         with:
           use-flakehub: false
 
@@ -268,7 +268,7 @@ jobs:
         run: git-chglog -c .github/git-chglog/config.yml -o RELEASE_CHANGELOG.md $(git describe --tags $(git rev-list --tags --max-count=1))
 
       - name: Download binary artifacts
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           path: /tmp/binaries
           pattern: binary-*
@@ -279,7 +279,7 @@ jobs:
         run: sha256sum * > checksums.txt
 
       - name: Create release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
         with:
           name: ${{ needs.get-newer-version.outputs.new-version }}
           tag_name: ${{ needs.get-newer-version.outputs.new-version }}

.github/workflows/pull-request-ci.yaml

@@ -22,17 +22,17 @@ jobs:
         shell: nix develop --command bash {0}
     steps:
       - name: Check out the repo
-        uses: actions/checkout@v5
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Install Nix
         # Pinned to v21 commit SHA for supply-chain safety.
         # To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git <tag>
-        uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21
+        uses: DeterminateSystems/nix-installer-action@ef8a148080ab6020fd15196c2084a2eea5ff2d25 # v22
 
       - name: Enable Nix cache
         # Pinned to v13 commit SHA for supply-chain safety.
         # To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git <tag>
-        uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13
+        uses: DeterminateSystems/magic-nix-cache-action@908b263ff629f4cc17666315b7fd3ec127c6244d # v14
         with:
           use-flakehub: false
 
@@ -67,20 +67,20 @@ jobs:
             nix_package: sysdig-mcp-server-image-aarch64
     steps:
       - name: Check out the repo
-        uses: actions/checkout@v5
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           ref: ${{ github.sha }}
           fetch-depth: "0"
 
       - name: Install Nix
         # Pinned to v21 commit SHA for supply-chain safety.
         # To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git <tag>
-        uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21
+        uses: DeterminateSystems/nix-installer-action@ef8a148080ab6020fd15196c2084a2eea5ff2d25 # v22
 
       - name: Enable Nix cache
         # Pinned to v13 commit SHA for supply-chain safety.
         # To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git <tag>
-        uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13
+        uses: DeterminateSystems/magic-nix-cache-action@908b263ff629f4cc17666315b7fd3ec127c6244d # v14
         with:
           use-flakehub: false
 
@@ -98,7 +98,7 @@ jobs:
         run: docker run --rm "${{ steps.load.outputs.image_tag }}" --help | grep "Sysdig MCP Server"
 
       - name: Scan Docker image
-        uses: sysdiglabs/scan-action@v6
+        uses: sysdiglabs/scan-action@607e6bc13f737906e66e81d98e74a69cf356af08 # v6.3.6
         with:
           image-tag: ${{ steps.load.outputs.image_tag }}
           sysdig-secure-token: ${{ secrets.SECURE_ENV_MON_API_KEY }}
@@ -112,18 +112,18 @@ jobs:
           echo "FROM base" > /tmp/Dockerfile.push
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
 
       - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Push image by digest
         id: push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
         with:
           file: /tmp/Dockerfile.push
           build-contexts: |
@@ -139,7 +139,7 @@ jobs:
           touch "/tmp/digests/${digest#sha256:}"
 
       - name: Upload digest
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: digests-${{ matrix.arch }}
           path: /tmp/digests/*
@@ -158,17 +158,17 @@ jobs:
       REGISTRY: ghcr.io/sysdiglabs/sysdig-mcp-server
     steps:
       - name: Download digests
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           path: /tmp/digests
           pattern: digests-*
           merge-multiple: true
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
 
       - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.github/workflows/stale.yml

@@ -11,7 +11,7 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10.3.0
         with:
           stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days'
           stale-pr-message: 'This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days'

flake.nix

@@ -52,15 +52,16 @@
               packages = [
                 ginkgo
                 go_1_26
-                govulncheck
                 gofumpt
                 golangci-lint
+                govulncheck
                 just
                 mockgen
                 nix-prefetch-docker
+                pinact
                 pre-commit
-                skopeo
                 sd
+                skopeo
               ];
               shellHook = ''
                 pre-commit install

justfile

@@ -39,6 +39,7 @@ update:
 	nix develop --command go get -u -t -v ./...
 	nix develop --command go mod tidy
 	nix develop --command just rehash-package-nix
+	nix develop --command pinact run -u
 	nix develop --command pre-commit autoupdate
 	nix develop --command just update-base-images