secureCodeBox · Reet00 · Sep 8, 2025 · Sep 8, 2025
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
diff --git a/.github/workflows/documentation-roulette.yaml b/.github/workflows/documentation-roulette.yaml
@@ -21,7 +21,7 @@ jobs:
     if: github.repository == 'secureCodeBox/secureCodeBox'
     steps:
       - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       # Request team members with the GitHub API using their gh cli
       - name: Fetch core-team members
@@ -42,7 +42,7 @@ jobs:
           echo "MEMBER=${MEMBERS[$index]}" >> $GITHUB_ENV
 
       # Create issue and insert chosen member ({{ env.MEMBER}} in template)
-      - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2
+      - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

diff --git a/.github/workflows/helm-charts-release-ghcr.yaml b/.github/workflows/helm-charts-release-ghcr.yaml
@@ -20,7 +20,7 @@ jobs:
     name: "Publish Helm Charts to GHCR"
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Parse Release Version
         run: |
@@ -48,7 +48,7 @@ jobs:
             cd "${dir}" || exit
             echo "Processing Helm Chart in $dir"
             NAME=$(yq eval '.name' - < Chart.yaml)
-            
+
             helm package --version "${{ env.version }}" .
 
             helm push "${NAME}-
7440
${{ env.version }}.tgz" oci://$CONTAINER_REGISTRY/helm/

diff --git a/.github/workflows/helm-charts-release.yaml b/.github/workflows/helm-charts-release.yaml
@@ -18,7 +18,7 @@ jobs:
     name: Package and Publish
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: "Install yq"
         run: |
           sudo snap install yq

diff --git a/.github/workflows/helm-docs.yaml b/.github/workflows/helm-docs.yaml
@@ -5,7 +5,6 @@
 # The CI runs on ubuntu-24.04; More info about the installed software is found here:
 # https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2204-Readme.md
 
-
 name: "Update Helm Docs"
 on:
   push:
@@ -20,13 +19,13 @@ jobs:
     runs-on: ubuntu-24.04
     if: github.repository == 'secureCodeBox/secureCodeBox'
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           ref: ${{ github.head_ref }}
           token: ${{ secrets.SCB_BOT_USER_TOKEN }}
 
       - name: Import GPG key
-        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6
+        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
         with:
           gpg_private_key: ${{ secrets.GPG_COMMITS_PRIVATE_KEY }}
           passphrase: ${{ secrets.GPG_COMMITS_PASSPHRASE }}

diff --git a/.github/workflows/label-commenter.yml b/.github/workflows/label-commenter.yml
@@ -19,7 +19,7 @@ jobs:
   comment:
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Label Commenter
         uses: peaceiris/actions-label-commenter@f0dbbef043eb1b150b566db36b0bdc8b7f505579 # v1.10.0
         with:

diff --git a/.github/workflows/license-check.yaml b/.github/workflows/license-check.yaml
@@ -19,9 +19,9 @@ jobs:
     if: github.repository == 'secureCodeBox/secureCodeBox'
     steps:
       - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: REUSE Compliance Check
-        uses: fsfe/reuse-action@bb774aa972c2a89ff34781233d275075cbddf542 # v5
+        uses: fsfe/reuse-action@bb774aa972c2a89ff34781233d275075cbddf542 # v5.0.0
         with:
           args: --include-submodules lint
diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml
@@ -36,7 +36,7 @@ jobs:
     steps:
       # Git Checkout
       - name: Checkout Code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
           fetch-depth: 0
@@ -46,7 +46,7 @@ jobs:
         id: ml
         # You can override MegaLinter flavor used to have faster performances
         # More info at https://megalinter.github.io/flavors/
-        uses: oxsecurity/megalinter@e08c2b05e3dbc40af4c23f41172ef1e068a7d651 # v8
+        uses: oxsecurity/megalinter@e08c2b05e3dbc40af4c23f41172ef1e068a7d651 # v8.8.0
         env:
           # All available variables are described in documentation
           # https://megalinter.github.io/configuration/
@@ -57,7 +57,7 @@ jobs:
       # Upload MegaLinter artifacts
       - name: Archive production artifacts
         if: ${{ success() }} || ${{ failure() }}
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: MegaLinter reports
           path: |

diff --git a/.github/workflows/move-bot-pr-to-review.yaml b/.github/workflows/move-bot-pr-to-review.yaml
@@ -14,16 +14,16 @@ permissions:
   pull-requests: write
 
 jobs:
-  move-bot-pr-to-review:   
+  move-bot-pr-to-review:
     runs-on: ubuntu-24.04
-    # only run if the branch starts with 'dependabot/' or 'dependencies/upgrading' 
+    # only run if the branch starts with 'dependabot/' or 'dependencies/upgrading'
     if: startsWith(github.head_ref, 'dependabot/') || startsWith(github.head_ref, 'dependencies/upgrading')
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Add bot PR to project
         run: |
-          # Get the ID for the field Status 
+          # Get the ID for the field Status
           # gh project list --owner secureCodeBox
           secureCodeBoxV4ProjectID="PVT_kwDOAg-Nic05GQ"
 
@@ -36,15 +36,15 @@ jobs:
                 }
               }
             }" | jq -r '.data.addProjectV2ItemById.item.id') >> $GITHUB_ENV
-        env: 
-          GH_TOKEN: ${{ secrets.SCB_BOT_USER_TOKEN }} 
+        env:
+          GH_TOKEN: ${{ secrets.SCB_BOT_USER_TOKEN }}
           PR_ID: ${{ github.event.pull_request.node_id }}
 
       - name: Move PR to column To Review
         # only move SCB-Bot, since dependabot is not part of core team and therefore has no access to secrets
         if: startsWith(github.head_ref, 'dependencies/upgrading')
         run: |
-          # Get the ID for the field Status 
+          # Get the ID for the field Status
           # gh project field-list 6 --owner secureCodeBox
           StatusFieldID="PVTSSF_lADOAg-Nic05Gc4AAZuO"
 
@@ -56,6 +56,6 @@ jobs:
           prNodeID=${{env.prNodeID}}<
B850
/span>
           # Move PR to "To Review" status
           gh project item-edit --id ${{ env.prNodeID }} --field-id $StatusFieldID --project-id $secureCodeBoxV4ProjectID --single-select-option-id $ToReviewID
-          
+
         env:
-          GH_TOKEN: ${{ secrets.SCB_BOT_USER_TOKEN }} 
+          GH_TOKEN: ${{ secrets.SCB_BOT_USER_TOKEN }}
diff --git a/.github/workflows/oss-scorecard.yaml b/.github/workflows/oss-scorecard.yaml
@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false