From f2f8db713851fd0a20adb5a5d144b7bb423a0765 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?=
 <charles.edouard@nirmata.com>
Date: Mon, 11 Sep 2023 21:08:38 +0200
Subject: [PATCH] chore: ensure usage of pinned actions (#745)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
---
 .github/workflows/check-actions.yaml | 21 +++++++++++++++++++++
 .github/workflows/ci.yml             |  3 +--
 .github/workflows/test.yml           |  2 +-
 3 files changed, 23 insertions(+), 3 deletions(-)
 create mode 100644 .github/workflows/check-actions.yaml

diff --git a/.github/workflows/check-actions.yaml b/.github/workflows/check-actions.yaml
new file mode 100644
index 000000000..3cda21aee
--- /dev/null
+++ b/.github/workflows/check-actions.yaml
@@ -0,0 +1,21 @@
+name: Check actions
+
+permissions: {}
+
+on:
+  push:
+    branches:
+      - '*'
+  pull_request:
+    branches:
+      - 'main'
+      - 'release*'
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      - name: Ensure SHA pinned actions
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@f32435541e24cd6a4700a7f52bb2ec59e80603b1 # v2.1.4
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 98988e5ff..904105cc7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -3,8 +3,7 @@ name: Policy Test
 on:
   push:
     branches:
-      - main
-      - release*
+      - '*'
   pull_request:
     branches:
       - main
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index fd19b5e83..1dae4387d 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -71,7 +71,7 @@ jobs:
           curl -LO "https://dl.k8s.io/release/${{ matrix.k8s-version.version }}/bin/linux/amd64/kubectl"
           sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
       - name: Install latest Kyverno CLI
-        uses: kyverno/action-install-cli@v0.2.0
+        uses: kyverno/action-install-cli@fcee92fca5c883169ef9927acf543e0b5fc58289 # v0.2.0
       - name: Create kind cluster
         run: |
           ./.tools/kind create cluster --image kindest/node:${{ matrix.k8s-version.version }} --config ./.github/kind.yml