feat: Use most recent github actions, immutable refs

Author: boite

templates/.github/workflows/10-review.yaml.j2

@@ -13,15 +13,16 @@ jobs:
     if: github.actor != 'dependabot[bot]'
     continue-on-error: true
     steps:
-      - uses: actions/checkout@v6
+        # v6 https://github.com/actions/checkout/commit/de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
       # interesting alternative: https://github.com/cocogitto/cocogitto
-      - uses: webiny/action-conventional-commits@v1.3.0
-        # XXX: normal action versioning syntax (`@v1`) doesn't work with this action,
-        # possibly because not published on the GitHub marketplace
+        # v1.3.0 https://github.com/webiny/action-conventional-commits/commit/8bc41ff4e7d423d56fa4905f6ff79209a78776c7
+      - uses: webiny/action-conventional-commits@8bc41ff4e7d423d56fa4905f6ff79209a78776c7
 
       - name: Check Card# reference
-        uses: linkorb/commit-message-checker@v1
+        # v1 https://github.com/linkorb/commit-message-checker/commit/dc804b50ce575a720739ec3f0ef3d5030130ec98
+        uses: linkorb/commit-message-checker@dc804b50ce575a720739ec3f0ef3d5030130ec98
         with:
           # Matches lines that end in a card number:                  #1234
           # Matches lines that end in a card number and PR reference: #1234 (#20)
@@ -37,7 +38,8 @@ jobs:
   code-quality:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+        # v6 https://github.com/actions/checkout/commit/de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       - name: latest repo-ansible/reviewdog container
         run: docker pull ghcr.io/linkorb/repo-ansible/reviewdog:latest
       - name: run reviewdog checks

templates/.github/workflows/30-release-and-build.yaml.j2

@@ -17,13 +17,20 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v6
+      # v6 https://github.com/actions/checkout/commit/de0fac2e4500dabe0009e67214ff5f5447ce83dd
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       with:
         fetch-depth: 0
 
-    - uses: docker/setup-qemu-action@v3
+    - uses: docker/setup-qemu-action@v4
+      with:
+        image: tonistiigi/binfmt:qemu-v10.2.1@sha256:d3b963f787999e6c0219a48dba02978769286ff61a5f4d26245cb6a6e5567ea3
+        platforms: linux/amd64
 
-    - uses: docker/setup-buildx-action@v3
+    - uses: docker/setup-buildx-action@v4
+      with:
+        driver-opts: network=host,image=moby/buildkit:v0.28.0@sha256:37539dd4d60fc70968d164d3850d903a2c56f6402214a1953fbf9fcb81ada731
+        platforms: linux/amd64
 
     - name: Semantic release
       id: semantic-release
@@ -35,7 +42,7 @@ jobs:
         echo "release-version=$(cat .gitrelease)" >> "$GITHUB_OUTPUT"
 
     - id: meta
-      uses: docker/metadata-action@v5
+      uses: docker/metadata-action@v6
       with:
         images: |
           ghcr.io/${{ github.repository }}
@@ -44,7 +51,8 @@ jobs:
           type=raw,value=latest,enable={{is_default_branch}}
           type=raw,value=${{ steps.semantic-release.outputs.release-version }}
 
-    - uses: docker/login-action@v3
+      # v4 https://github.com/docker/login-action/commit/b45d80f862d83dbcd57f89517bcf500b2ab88fb2
+    - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2
       with:
         registry: ghcr.io
         username: ${{ github.actor }}

templates/.github/workflows/90-cleanup.yaml.j2

@@ -15,7 +15,8 @@ jobs:
 
     steps:
     - name: Keep last 5 published container images
-      uses: actions/delete-package-versions@v5
+      # v5 https://github.com/actions/delete-package-versions/commit/e5bc658cc4c965c472efe991f8beea3981499c55
+      uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55
       with:
         package-name: ${{ github.event.repository.name }}
         package-type: container

templates/.github/workflows/auto-label-pull-request.yaml.j2

@@ -14,7 +14,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Label pull requests based on conventional commits
-        uses: actions/github-script@v7
+        # v8 https://github.com/actions/github-script/commit/ed597411d8f924073f98dfc5c65a23a2325f34cd
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

templates/.github/workflows/auto-merge-dependabot-prs.yaml.j2

@@ -15,7 +15,8 @@ jobs:
     if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     steps:
       - id: metadata
-        uses: dependabot/fetch-metadata@v2
+        # v2 https://github.com/dependabot/fetch-metadata/commit/21025c705c08248db411dc16f3619e6b5f9ea21a
+        uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a
 
       - if: steps.metadata.outputs.update-type == 'version-update:semver-minor' || steps.metadata.outputs.update-type == 'version-update:semver-patch'
         run: gh pr merge --merge "$PR_URL"

templates/.github/workflows/auto-run-repo-ansible.yaml.j2

@@ -29,10 +29,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - if: ${{ env.IS_PULL_REQUEST == '0' }}
-        uses: actions/checkout@v6
+        # v6 https://github.com/actions/checkout/commit/de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
       - if: ${{ env.IS_PULL_REQUEST == '1' }}
-        uses: actions/checkout@v6
+        # v6 https://github.com/actions/checkout/commit/de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
 
@@ -65,7 +67,8 @@ jobs:
 
       - if: ${{ env.IS_PULL_REQUEST == '1' && env.REPOSITORY_CHANGED == '1' }}
         name: bot comment about repo-ansible detected changes
-        uses: actions/github-script@v7
+        # v8 https://github.com/actions/github-script/commit/ed597411d8f924073f98dfc5c65a23a2325f34cd
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
         with:
           script: |
             const changes = process.env.REPO_ANSIBLE_OUTPUT