From 0e7c2e26d291d42fcd91a6ace95b9cb8b3c22ece Mon Sep 17 00:00:00 2001
From: RyanH-STFC <Ryan.haigh@stfc.ac.uk>
Date: Wed, 22 Apr 2026 16:55:33 +0100
Subject: [PATCH] Change all tags from workflows to pinned SHAs

- Change all of the tags in the repo to pinned SHAs as it is best
  practice as a defence against supply chain attacks
---
 .github/workflows/check_helm_updates.yaml | 14 ++++++++------
 .github/workflows/pr_copied_files.yaml    |  7 +++++--
 .github/workflows/promote_to_prod.yaml    |  9 ++++++---
 3 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/check_helm_updates.yaml b/.github/workflows/check_helm_updates.yaml
index f77d28a5..3dfc9865 100644
--- a/.github/workflows/check_helm_updates.yaml
+++ b/.github/workflows/check_helm_updates.yaml
@@ -1,5 +1,7 @@
 # adapted from https://github.com/camptocamp/helm-dependency-update-action example
-
+permissions:
+  contents: read
+  
 name: Update Chart Dependencies on Staging
 
 env:
@@ -16,22 +18,22 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: "Setup Github Token"
-        uses: actions/create-github-app-token@v3
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3
         id: app-token
         with:
           app-id: ${{ vars.APP_ID }}
           private-key: ${{ secrets.PRIVATE_KEY }}
 
       - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         
       - name: Set up Helm
-        uses: azure/setup-helm@v5
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2
         with:
           version: 'latest'
 
       - name: Install yq
-        uses: mikefarah/yq@v4
+        uses: mikefarah/yq@0f4fb8d35ec1a939d78dd6862f494d19ec589f19
         
       - name: Update dependencies for Staging Charts
         id: updater
@@ -50,7 +52,7 @@ jobs:
 
       - name: Create PR with Chart updates
         if: steps.updater.outputs.updated_charts != '0'
-        uses: peter-evans/create-pull-request@v8
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0
         with:
           token: ${{ steps.app-token.outputs.token }}
           commit-message: "${{ steps.env-vars.outputs.pr_title }}"
diff --git a/.github/workflows/pr_copied_files.yaml b/.github/workflows/pr_copied_files.yaml
index c24afd24..608e12f7 100644
--- a/.github/workflows/pr_copied_files.yaml
+++ b/.github/workflows/pr_copied_files.yaml
@@ -1,3 +1,6 @@
+permissions:
+  contents: read
+  
 name: CI Copied Files Check
 on:
   pull_request:
@@ -7,10 +10,10 @@ jobs:
   check_files:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
       - id: changed-files
-        uses: tj-actions/changed-files@v47
+        uses: tj-actions/changed-files@v4722103cc46bda19c2b464ffe86db46df6922fd323
         with:
           files_yaml: |
             staging:
diff --git a/.github/workflows/promote_to_prod.yaml b/.github/workflows/promote_to_prod.yaml
index 26d01ace..af53dd12 100644
--- a/.github/workflows/promote_to_prod.yaml
+++ b/.github/workflows/promote_to_prod.yaml
@@ -1,3 +1,6 @@
+permissions:
+  contents: read
+  
 name: Promote Staging Helm Chart Versions to Prod
 
 on:
@@ -15,14 +18,14 @@ jobs:
 
     steps:
       - name: "Setup Github Token"
-        uses: actions/create-github-app-token@v3
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3
         id: app-token
         with:
           app-id: ${{ vars.APP_ID }}
           private-key: ${{ secrets.PRIVATE_KEY }}
 
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
       - name: Check for changes
         id: check-changes
@@ -56,7 +59,7 @@ jobs:
 
       - name: Commit and Create Pull Request
         if: steps.check-changes.outputs.changes-detected == 'true'
-        uses: peter-evans/create-pull-request@v8
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0
         with:
           token: ${{ steps.app-token.outputs.token }}
           commit-message: "${{ steps.env-vars.outputs.pr_title }}"