Pin unpinned actions and normalize Docker image refs for frizbee

tashian · claude · tashian · commit 8450c29b354e · 2026-03-02T17:25:34.000-08:00
- Pin google-github-actions/auth and setup-gcloud to SHAs in goreleaser.yml
- Normalize Docker image refs to index.docker.io format with digest
  (required by frizbee-action for proper pinning detection)

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
@@ -9,6 +9,6 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Check workflow files
-        uses: docker://rhysd/actionlint:1.7.11@sha256:6f03470d0152251d7f07f7c4dc019dbe7024c72cd952f839544c7798843efa8f
+        uses: docker://index.docker.io/rhysd/actionlint@sha256:6f03470d0152251d7f07f7c4dc019dbe7024c72cd952f839544c7798843efa8f # 1.7.11
         with:
           args: -color
diff --git a/.github/workflows/goCI.yml b/.github/workflows/goCI.yml
@@ -90,7 +90,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Check workflow files
-        uses: docker://rhysd/actionlint:1.7.11@sha256:6f03470d0152251d7f07f7c4dc019dbe7024c72cd952f839544c7798843efa8f
+        uses: docker://index.docker.io/rhysd/actionlint@sha256:6f03470d0152251d7f07f7c4dc019dbe7024c72cd952f839544c7798843efa8f # 1.7.11
         with:
           args: -color
 
diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml
@@ -130,15 +130,15 @@ jobs:
         name: Authenticate to Google Cloud
         if: inputs.enable-packages-upload
         id: gcloud-auth
-        uses: google-github-actions/auth@v3
+        uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3
         with:
           token_format: access_token
           workload_identity_provider: ${{ secrets.GOOGLE_CLOUD_WORKLOAD_IDENTITY_PROVIDER }}
           service_account: ${{ secrets.GOOGLE_CLOUD_GITHUB_SERVICE_ACCOUNT }}
       -
         name: Set up Google Cloud SDK
         if: inputs.enable-packages-upload
-        uses: google-github-actions/setup-gcloud@v3
+        uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3
         with:
           project_id: ${{ secrets.GOOGLE_CLOUD_PACKAGES_PROJECT_ID }}
       -
