Pinning using hashes

2026-06-30 09:11:40 +00:00 · 2026-06-07 19:57:15 +10:00 · 2026-06-07 19:57:15 +10:00 · 91a166e8d8
commit 91a166e8d8
parent f9b0d7e45d
7 changed files with 9 additions and 9 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -29,7 +29,7 @@ jobs:
        run: echo "VERSION=${GITHUB_REF##*/}" >> "${GITHUB_OUTPUT}"

      - name: Generate man page
-        uses: docker://pandoc/core:2.14.2
+        uses: docker://pandoc/core:2.14.2@sha256:04e127c6642a2b9d447c26fe0ac6a5932efa8f508eda9f07da51b6e621dd7c19
        id: gen-man-page
        with:
          args: >-
@ -43,12 +43,12 @@ jobs:
            man.md

      - name: Install cosign
-        uses: sigstore/cosign-installer@v3
+        uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1

      - name: Cross compile
        run: |
          sudo apt-get install rhash -y
-          go install github.com/goreleaser/goreleaser/v2@latest
+          go install github.com/goreleaser/goreleaser/v2@v2.16.0
          ./scripts/xcompile.sh

      - name: Sign checksums
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@ -73,6 +73,6 @@ jobs:
      # Upload the results to GitHub's code scanning dashboard (optional).
      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
        with:
          sarif_file: results.sarif
--- a/Dockerfile.dev
+++ b/Dockerfile.dev
@ -2,7 +2,7 @@ FROM golang:1.26.4@sha256:68cb6d68bed024785b69195b89af7ac7a444f27791435f98647edf

 RUN apt-get update && \
    apt-get install -y npm && \
-    npm install -g npx cspell@latest
+    npm install -g npx cspell@10.0.1

 COPY scripts/devtools.sh /opt/devtools.sh

--- a/cspell.config.yaml
+++ b/cspell.config.yaml
@ -1,5 +1,5 @@
 ---
-$schema: https://raw.githubusercontent.com/streetsidesoftware/cspell/main/cspell.schema.json
+$schema: https://raw.githubusercontent.com/streetsidesoftware/cspell/0f43abf29e5da0ecbcb08214055cdc1e3267c3ea/cspell.schema.json
 version: '0.2'
 language: en-GB
 dictionaryDefinitions:
--- a/release_instructions.txt
+++ b/release_instructions.txt
@ -23,7 +23,7 @@
 // release artifacts are signed with cosign keyless signing (Sigstore)
 // users can verify with:
 //   cosign verify-blob --bundle checksums.bundle checksums
-// install cosign: brew install cosign  OR  go install github.com/sigstore/cosign/v2/cmd/cosign@latest
+// install cosign: brew install cosign  OR  go install github.com/sigstore/cosign/v2/cmd/cosign@v2.6.1


 - snapcraft
--- a/scripts/devtools.sh
+++ b/scripts/devtools.sh
@ -1,5 +1,5 @@
 #!/bin/sh
 set -ex
-go mod download golang.org/x/tools@latest
+go mod download golang.org/x/tools@v0.44.0
 curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/6008b81b81c690c046ffc3fd5bce896da715d5fd/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.11.3
 curl -sSfL https://raw.githubusercontent.com/securego/gosec/424fc4cd9c82ea0fd6bee9cd49c2db2c3cc0c93f/install.sh | sh -s v2.22.11
--- a/scripts/xcompile.sh
+++ b/scripts/xcompile.sh
@ -2,7 +2,7 @@

 set -eo pipefail

-# You may need to go install github.com/goreleaser/goreleaser/v2@latest first
+# You may need to go install github.com/goreleaser/goreleaser/v2@v2.16.0 first
 GORELEASER="goreleaser build --clean"
 if [ -z "$CI" ] || [[ "${GITHUB_REF_NAME:-}" == draft-* ]]; then
  GORELEASER+=" --snapshot"