chore(ci): pin workflow actions and publish latest on main

.github/actions/auto-tag/action.yml

@@ -18,7 +18,7 @@ runs:
   steps:
     - name: Generate metadata (auto tags)
       id: meta
-      uses: docker/metadata-action@v5
+      uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
       with:
         images: ${{ inputs.image }}
 

.github/actions/matrix-support/action.yml

@@ -31,8 +31,7 @@ runs:
   using: composite
   steps:
     - name: Checkout
-    
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Derive platform matrix values
       id: platforms
@@ -60,14 +59,14 @@ runs:
 
     - name: Set up Go
       if: inputs.service != 'dashboard'
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4.3.0
       with:
         go-version: '1.22'
         cache: true
 
     - name: Cache Go build data
       if: inputs.service != 'dashboard'
-      uses: actions/cache@v4
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
       with:
         path: |
           ~/.cache/go-build
@@ -79,7 +78,7 @@ runs:
 
     - name: Set up Node.js
       if: inputs.service == 'dashboard'
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
       with:
         node-version: 20
         cache: yarn
@@ -87,7 +86,7 @@ runs:
 
     - name: Cache dashboard artifacts
       if: inputs.service == 'dashboard'
-      uses: actions/cache@v4
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
       with:
         path: |
           dashboard/.next/cache
@@ -99,8 +98,8 @@ runs:
 
     - name: Enable Docker build tooling
       if: inputs.enable_docker == 'true'
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
 
     - name: Set up buildx
       if: inputs.enable_docker == 'true'
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

.github/actions/security/action.yml

@@ -23,7 +23,7 @@ runs:
 
     - name: Run golangci-lint
       if: inputs.service != 'dashboard'
-      uses: golangci/golangci-lint-action@v6
+      uses: golangci/golangci-lint-action@ec5d18412c0aeab7936cb16880d708ba2a64e1ae # v6.2.0
       with:
         version: latest
         args: ./...
@@ -40,7 +40,7 @@ runs:
 
     - name: Trivy filesystem scan
       if: inputs.service != 'dashboard'
-      uses: aquasecurity/trivy-action@0.24.0
+      uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
       with:
         scan-type: fs
         scan-ref: .
@@ -63,7 +63,7 @@ runs:
 
     - name: Semgrep security rules
       if: inputs.service == 'dashboard'
-      uses: returntocorp/semgrep-action@v1
+      uses: returntocorp/semgrep-action@713efdd345f3035192eaa63f56867b88e63e4e5d # v1
       with:
         config: p/ci
         paths: dashboard

.github/workflows/build-base-images.yml

@@ -71,9 +71,9 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: docker/login-action@v3
+      - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -85,11 +85,11 @@ jobs:
         with:
           image: ${{ env.REGISTRY }}/${{ env.ORG }}/${{ matrix.image.name }}
 
-      - uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
 
-      - uses: docker/setup-buildx-action@v3
+      - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
-      - uses: docker/build-push-action@v6
+      - uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
         id: build
         with:
           context: .
@@ -104,7 +104,7 @@ jobs:
       # -------------------------------------------------------------
       - name: Login to Docker Hub
         if: env.PUSH_IMAGES == 'true'
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: docker.io
           username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -143,7 +143,7 @@ jobs:
       # -------------------------------------------------------------
       # Checkout source
       # -------------------------------------------------------------
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Resolve short sha tag
         id: vars
@@ -153,12 +153,12 @@ jobs:
           echo "sha_short=${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT"
 
 
-      - uses: anchore/sbom-action@v0
+      - uses: anchore/sbom-action@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
         with:
           image: ${{ env.REGISTRY }}/${{ env.ORG }}/${{ matrix.image.name }}:${{ steps.vars.outputs.sha_short }}
           output-file: sbom.spdx.json
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: sbom-${{ matrix.image.name }}
           path: sbom.spdx.json
@@ -166,13 +166,13 @@ jobs:
       # -------------------------------------------------------------
       # Trivy Vulnerability Scan
       # -------------------------------------------------------------
-      - uses: aquasecurity/trivy-action@0.28.0
+      - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
         with:
           image-ref: ${{ env.REGISTRY }}/${{ env.ORG }}/${{ matrix.image.name }}:${{ steps.vars.outputs.sha_short }}
           severity: HIGH,CRITICAL
           exit-code: '1'
 
-      - uses: sigstore/cosign-installer@v3
+      - uses: sigstore/cosign-installer@2e2f661cd4be3a4b891a882064e49d0fed4b7b88 # v3.9.0
         with:
           cosign-release: 'v2.4.1'
 

.github/workflows/build-push-ghcr-image.yml

@@ -42,13 +42,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check Out Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set Up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
       - name: Log In To GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ vars.GHCR_USERNAME || github.repository_owner }}
@@ -56,16 +56,16 @@ jobs:
 
       - name: Compute Image Tags
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_REPO_OWNER }}/${{ env.IMAGE_NAME }}
           tags: |
             type=raw,value=${{ inputs.image_tag }},enable=${{ inputs.image_tag != '' }}
             type=sha,format=short,enable=${{ inputs.image_tag == '' }}
-            type=raw,value=latest,enable=${{ inputs.push_latest }}
+            type=raw,value=latest,enable=${{ inputs.push_latest || github.ref == 'refs/heads/main' }}
 
       - name: Build And Push Image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
         with:
           context: .
           file: Dockerfile