ci: pinned github actions used with their sha...

... and let dependabot deal with that.

NOTE: dependabot updates for the github actions ecosystem are
automatically merged.

Signed-off-by: Frederic BIDON <fredbi@yahoo.com>

Author: fredbi

.github/dependabot.yaml

@@ -1,4 +1,6 @@
 version: 2
+assignees:
+  - fredbi
 updates:
   - package-ecosystem: "github-actions"
     directories:
@@ -30,7 +32,8 @@ updates:
     # 2. golang.org-dependencies are auto-merged
     # 3. go-openapi patch updates are auto-merged. Minor/major version updates require a manual merge.
     # 4. other dependencies require a manual merge
-    directory: "/"
+    directories:
+      - "**/*"
     schedule:
       interval: "weekly"
       day: "friday"
@@ -39,6 +42,7 @@ updates:
       development-dependencies:
         patterns:
           - "github.com/stretchr/testify"
+          - "github.com/go-openapi/testify"
 
       golang-org-dependencies:
         patterns:
@@ -47,9 +51,14 @@ updates:
       go-openapi-dependencies:
         patterns:
           - "github.com/go-openapi/*"
+        exclude-patterns:
+          - "github.com/go-openapi/testify"
 
       other-dependencies:
         exclude-patterns:
           - "github.com/go-openapi/*"
           - "github.com/stretchr/testify"
+          - "github.com/go-openapi/testify"
           - "golang.org/*"
+    allow:
+      - dependency-type: all

.github/workflows/auto-merge.yml

@@ -12,7 +12,7 @@ jobs:
     steps:
       - name: Dependabot metadata
         id: metadata
-        uses: dependabot/fetch-metadata@v2
+        uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # v2.4.0
 
       - name: Auto-approve all dependabot PRs
         run: gh pr review --approve "$PR_URL"

.github/workflows/go-test.yml

@@ -22,7 +22,7 @@ jobs:
       modules: ${{ steps.modules.outputs.modules }}
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Find go modules
         id: modules
         shell: bash
@@ -69,15 +69,15 @@ jobs:
         module: ${{ fromJSON(needs.module-matrix.outputs.modules) }}
 
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-go@v6
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
           go-version: stable
           check-latest: true
           cache: true
           cache-dependency-path: '**/go.sum'
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
         with:
           version: latest
           only-new-issues: true
@@ -107,8 +107,8 @@ jobs:
       TEST_REPORT: 'all_modules.report.${{ matrix.os }}.${{ matrix.go_version }}.json'
 
     steps:
-    - uses: actions/checkout@v5
-    - uses: actions/setup-go@v6
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
       with:
         go-version: '${{ matrix.go_version }}'
         check-latest: true
@@ -140,7 +140,7 @@ jobs:
 
     - name: Upload coverage to codecov
       if: ${{ success() }}  # we do this only if all previous steps succeeded
-      uses: codecov/codecov-action@v5
+      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
       with:
         name: Multi modules aggregated coverage
         flags: '${{ matrix.go_version }}-${{ matrix.os }}'
@@ -149,7 +149,7 @@ jobs:
 
     - name: Upload JSON test Results
       if: always()
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: 'all_modules.report.${{ matrix.os }}.${{ matrix.go_version }}'
         path: ${{ env.TEST_REPORT }}
@@ -169,14 +169,14 @@ jobs:
     name: Collect and merge test reports
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
           go-version: stable
           check-latest: true
           cache: true
 
       - name: Download all JSON artifacts
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
           run-id: "${{ github.run_id }}"
           pattern: "all_modules.report.*"
@@ -194,7 +194,7 @@ jobs:
 
       - name: Upload test results to Codecov
         if: always()
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
         with:
           files: '**/junit_report.xml'
           report_type: 'test_results'
@@ -204,7 +204,7 @@ jobs:
 
       - name: Convert test reports to CTRF JSON
         run: |
-          go install github.com/ctrf-io/go-ctrf-json-reporter/cmd/go-ctrf-json-reporter@latest
+          go install github.com/ctrf-io/go-ctrf-json-reporter/cmd/go-ctrf-json-reporter@v0.0.10
 
           appName="swag"
           buildNumber="${{ github.run_id }}"
@@ -244,7 +244,7 @@ jobs:
       #
       # They also handle the storage of past test reports, so as to assess flaky tests.
       - name: Publish Test Summary Results
-        uses: ctrf-io/github-test-reporter@v1
+        uses: ctrf-io/github-test-reporter@646f98cfc16c6f7a0e1f6100cabe2deb95dd2eef # v1.0.22
         with:
           report-path: 'reports/ctrf_report_*.json'
           use-suite-name: true