From 480b7a1d67f8c59caf304fe11dcd69dcb25c23d1 Mon Sep 17 00:00:00 2001
From: Evan Huus <evan@opslevel.com>
Date: Wed, 6 May 2026 09:55:57 -0400
Subject: [PATCH] Harden supply-chain by pinning image references by digest

---
 .github/workflows/changie-gen.yaml |  4 ++--
 .github/workflows/release.yaml     | 16 ++++++++--------
 .github/workflows/reports.yml      |  2 +-
 .github/workflows/tests.yml        | 10 +++++-----
 src/Dockerfile                     |  4 ++--
 5 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/changie-gen.yaml b/.github/workflows/changie-gen.yaml
index 9913db0..de6eb3b 100644
--- a/.github/workflows/changie-gen.yaml
+++ b/.github/workflows/changie-gen.yaml
@@ -20,7 +20,7 @@ jobs:
     steps:
     - name: Checkout branch that Dependabot labeled
       if: github.event.workflow_run.conclusion == 'success'
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       with:
         ref: ${{ env.PR_BRANCH }}
         token: ${{ secrets.GITHUB_TOKEN }}
@@ -43,7 +43,7 @@ jobs:
       if: >-
         github.event.workflow_run.conclusion == 'success' &&
         steps.changelog_check.outputs.exists == 'false'
-      uses: actions/setup-go@v6
+      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
       with:
         go-version-file: 'src/go.mod'
         cache-dependency-path: src/go.sum
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 5ea929e..195e106 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
           submodules: 'true'
@@ -26,11 +26,11 @@ jobs:
         run: |
           echo "RELEASE_VERSION=$(date +v%Y.%-m.%-d)" >> $GITHUB_OUTPUT
       - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version-file: 'src/go.mod'
       - name: Cache Go modules
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: ~/go/pkg/mod
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@@ -38,12 +38,12 @@ jobs:
             ${{ runner.os }}-go-
       - name: Import GPG Key
         id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@v6
+        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6
         with:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.GPG_PASSPHRASE }}
       - name: Login to Public ECR
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: public.ecr.aws
           username: ${{ secrets.ECR_PUBLIC_AWS_ACCESS_KEY_ID }}
@@ -51,9 +51,9 @@ jobs:
         env:
           AWS_REGION: us-east-1
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
       - name: Ensure Changelog
         run: |
           git config user.name "OpsLevel Bots"
@@ -77,7 +77,7 @@ jobs:
         run: |
           gh release delete ${{ steps.version.outputs.RELEASE_VERSION }} || true
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v6.1.0
+        uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
         with:
           args: release --clean --release-notes=../.changes/${{ steps.version.outputs.RELEASE_VERSION }}.md
           workdir: ./src
diff --git a/.github/workflows/reports.yml b/.github/workflows/reports.yml
index 64bb601..466057c 100644
--- a/.github/workflows/reports.yml
+++ b/.github/workflows/reports.yml
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       with:
         fetch-depth: 0
         submodules: 'true'
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 7bfabcf..cd7feee 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -15,34 +15,34 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
           submodules: 'true'
       - name: Fetch all tags
         run: git fetch --force --tags
       - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version-file: 'src/go.mod'
           cache-dependency-path: |
             src/go.sum
       - name: Cache Go modules
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: ~/go/pkg/mod
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: |
             ${{ runner.os }}-go-
       - name: Install Task
-        uses: arduino/setup-task@v2
+        uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v2
         with:
           version: 3.x
           repo-token: ${{ secrets.ORG_GITHUB_TOKEN }}
       - name: Run quality checks and test code
         run: task ci
       - name: Upload Coverage
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5
         with:
           files: ./coverage.txt
           fail_ci_if_error: false
diff --git a/src/Dockerfile b/src/Dockerfile
index 255c7fd..49fbf73 100644
--- a/src/Dockerfile
+++ b/src/Dockerfile
@@ -1,7 +1,7 @@
-FROM golang:alpine as build
+FROM golang:alpine@sha256:f85330846cde1e57ca9ec309382da3b8e6ae3ab943d2739500e08c86393a21b1 AS build
 RUN apk --no-cache add ca-certificates
 
-FROM alpine:latest
+FROM alpine:latest@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11
 ARG TARGETPLATFORM
 # copy the ca-certificate.crt from the build stage
 COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/