From b76c72271c577f480535912ef2b1d2b387265813 Mon Sep 17 00:00:00 2001
From: Sebastian Mendel <info@sebastianmendel.de>
Date: Fri, 19 Dec 2025 11:06:25 +0100
Subject: [PATCH 1/3] Security: Pin action SHAs and add explicit permissions

- Pin all GitHub Actions to full commit SHAs for supply chain security
- Add version comments to pinned SHAs for maintainability
- Verify explicit permissions blocks are present in all workflows

Actions updated:
- actions/checkout: 11bd71901bbe5b1630ceea73d27597364c9af683 (v4.2.2)
- docker/setup-buildx-action: b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 (v3.10.0)
- docker/login-action: 28fdb31ff34708d19615a74d67103ddc2ea9725c (v3.4.0)
- docker/build-push-action: 263a8a0d8a10d3a7e75c7dbc68b0215a43f23e41 (v6.15.0)
- docker/metadata-action: c299e40c65443455700f0fdfc63efafe5b349051 (v6.2.0)
- step-security/harden-runner: 91182cccc01eb5e619899c88c4c9a5e2815f8a4f (v2.10.2)
- hadolint/hadolint-action: 54c9adbab1582c2ef04b2cd0bd3f9113a8af5e72 (v3.3.0)
- sigstore/cosign-installer: dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da (v4.0.0)
- dependabot/fetch-metadata: 5e5f99653a5b510e8555840e80cbf1514ad4af38 (v2.2.0)

This addresses GitHub Security alerts for unpinned actions and
improves workflow security posture.
---
 .github/workflows/auto-merge-deps.yml |  2 +-
 .github/workflows/ci.yml              | 14 +++++++-------
 .github/workflows/docker-publish.yml  | 12 ++++++------
 3 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/auto-merge-deps.yml b/.github/workflows/auto-merge-deps.yml
index 7df826e..e85de8c 100644
--- a/.github/workflows/auto-merge-deps.yml
+++ b/.github/workflows/auto-merge-deps.yml
@@ -25,7 +25,7 @@ jobs:
       - name: Dependabot metadata
         id: metadata
         if: github.event.pull_request.user.login == 'dependabot[bot]'
-        uses: dependabot/fetch-metadata@v2
+        uses: dependabot/fetch-metadata@5e5f99653a5b510e8555840e80cbf1514ad4af38 # v2.2.0
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
 
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2e29d57..5f465ae 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -17,15 +17,15 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@v2
+        uses: step-security/harden-runner@91182cccc01eb5e619899c88c4c9a5e2815f8a4f # v2.10.2
         with:
           egress-policy: audit
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Run Hadolint
-        uses: hadolint/hadolint-action@v3.3.0
+        uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2cd0bd3f9113a8af5e72 # v3.3.0
         continue-on-error: true  # Allow existing issues, report but don't block
         with:
           dockerfile: Dockerfile
@@ -37,18 +37,18 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@v2
+        uses: step-security/harden-runner@91182cccc01eb5e619899c88c4c9a5e2815f8a4f # v2.10.2
         with:
           egress-policy: audit
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
 
       - name: Build (no push)
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263a8a0d8a10d3a7e75c7dbc68b0215a43f23e41 # v6.15.0
         with:
           context: .
           push: false
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 2705b33..715dc3f 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -36,23 +36,23 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       # Install the cosign tool except on PR
       # https://github.com/sigstore/cosign-installer
       - name: Install cosign
         if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@v4.0.0
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v4.0.0
 
       # Workaround: https://github.com/docker/build-push-action/issues/461
       - name: Setup Docker buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.10.0
 
       # Login against a Docker registry except on PR
       # https://github.com/docker/login-action
       - name: Log into registry ${{ env.REGISTRY }}
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@28fdb31ff34708d19615a74d67103ddc2ea9725c
+        uses: docker/login-action@28fdb31ff34708d19615a74d67103ddc2ea9725c # v3.4.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -62,7 +62,7 @@ jobs:
       # https://github.com/docker/metadata-action
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v6.2.0
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
@@ -70,7 +70,7 @@ jobs:
       # https://github.com/docker/build-push-action
       - name: Build and push Docker image
         id: build-and-push
-        uses: docker/build-push-action@9e436ba9f2d7bcd1d038c8e55d039d37896ddc5d
+        uses: docker/build-push-action@9e436ba9f2d7bcd1d038c8e55d039d37896ddc5d # v6.15.0
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' }}

From 91035604e5885122400472ddb0df66d23498902d Mon Sep 17 00:00:00 2001
From: Sebastian Mendel <info@sebastianmendel.de>
Date: Fri, 19 Dec 2025 12:48:02 +0100
Subject: [PATCH 2/3] fix: Update GitHub Actions to valid SHAs

- harden-runner: v2.14.0 @ 20cf305ff2072d973412fa9b1e3a4f227bda3c76
- setup-buildx-action: v3.12.0 @ 8d2750c68a42422c14e847fe6c8ac0403b4cbd6f
- build-push-action: v6.18.0 @ 263435318d21b8e681c14492fe198d362a7d2c83

Fixes invalid harden-runner SHA that was causing workflow failures.
---
 .github/workflows/auto-merge-deps.yml | 2 +-
 .github/workflows/ci.yml              | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/auto-merge-deps.yml b/.github/workflows/auto-merge-deps.yml
index e85de8c..68a0e77 100644
--- a/.github/workflows/auto-merge-deps.yml
+++ b/.github/workflows/auto-merge-deps.yml
@@ -18,7 +18,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@v2
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
           egress-policy: audit
 
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5f465ae..199d831 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -17,7 +17,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899c88c4c9a5e2815f8a4f # v2.10.2
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
           egress-policy: audit
 
@@ -37,7 +37,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899c88c4c9a5e2815f8a4f # v2.10.2
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
           egress-policy: audit
 
@@ -45,10 +45,10 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Build (no push)
-        uses: docker/build-push-action@263a8a0d8a10d3a7e75c7dbc68b0215a43f23e41 # v6.15.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
           push: false

From 32f78ff812c64fc8ba8f27fe9fd283371916d18a Mon Sep 17 00:00:00 2001
From: Sebastian Mendel <info@sebastianmendel.de>
Date: Fri, 19 Dec 2025 13:18:51 +0100
Subject: [PATCH 3/3] Fix hadolint-action SHA to correct v3.3.0 commit

The previous SHA 54c9adbab1582c2ef04b2cd0bd3f9113a8af5e72 was invalid and caused
CI failures with 'action could not be found' error.

Updated to the correct SHA 2332a7b74a6de0dda2e2221d575162eba76ba5e5 which is the
actual commit for v3.3.0 release as verified from GitHub API.
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 199d831..c7e5eb5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -25,7 +25,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Run Hadolint
-        uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2cd0bd3f9113a8af5e72 # v3.3.0
+        uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
         continue-on-error: true  # Allow existing issues, report but don't block
         with:
           dockerfile: Dockerfile