Move mutable tags to "more immutable" ones

.github/workflows/build-and-publish-renovate.yml

@@ -18,14 +18,14 @@ jobs:
     permissions:
       packages: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6.0.2
         with:
           ref: ${{ inputs.ref }}
-      - uses: redhat-actions/buildah-build@v2
+      - uses: redhat-actions/buildah-build@v2.12
         with:
           image: renovate-tmt
           containerfiles: ./containers/Containerfile.renovate
-      - uses: redhat-actions/push-to-registry@v2
+      - uses: redhat-actions/push-to-registry@v2.8
         with:
           image: renovate-tmt
           tags: latest

.github/workflows/ci.yml

@@ -51,6 +51,6 @@ jobs:
     needs: [ pre-commit, build-wheel, shellcheck, doc-tests ]
     runs-on: ubuntu-slim
     steps:
-      - uses: re-actors/alls-green@release/v1
+      - uses: re-actors/alls-green@v1.2.2
         with:
           jobs: ${{ toJSON(needs) }}

.github/workflows/publish-images.yml

@@ -8,22 +8,22 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6.0.2
       - name: Build - tmt
-        uses: redhat-actions/buildah-build@v2
+        uses: redhat-actions/buildah-build@v2.12
         id: build-image-tmt
         with:
           image: tmt
           containerfiles: ./containers/Containerfile.mini
       - name: Build - tmt-all
-        uses: redhat-actions/buildah-build@v2
+        uses: redhat-actions/buildah-build@v2.12
         id: build-image-tmt-all
         with:
           image: tmt-all
           containerfiles: ./containers/Containerfile.full
       - name: Push To quay.io - tmt
         id: push-to-quay-tmt
-        uses: redhat-actions/push-to-registry@v2
+        uses: redhat-actions/push-to-registry@v2.8
         with:
           image: ${{ steps.build-image-tmt.outputs.image }}
           tags: ${{ steps.build-image-tmt.outputs.tags }}
@@ -32,7 +32,7 @@ jobs:
           password: ${{ secrets.QUAY_TEEMTEE_SECRET }}
       - name: Push To quay.io - tmt-all
         id: push-to-quay-tmt-all
-        uses: redhat-actions/push-to-registry@v2
+        uses: redhat-actions/push-to-registry@v2.8
         with:
           image: ${{ steps.build-image-tmt-all.outputs.image }}
           tags: ${{ steps.build-image-tmt-all.outputs.tags }}

.github/workflows/release.yml

@@ -30,15 +30,15 @@ jobs:
       attestations: write
 
     steps:
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@v8.0.1
         with:
           name: Packages
           path: dist
 
       - name: Generate artifact attestation for sdist and wheel
-        uses: actions/attest-build-provenance@v4
+        uses: actions/attest-build-provenance@v4.1.0
         with:
           subject-path: "dist/*"
 
       - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@v1.14.0

.github/workflows/renovate.yml

@@ -20,10 +20,10 @@ jobs:
     environment: renovate
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6.0.2
       - name: Get GitHub App token
         id: token
-        uses: actions/create-github-app-token@v3
+        uses: actions/create-github-app-token@v3.1.1
         with:
           client-id: ${{ secrets.RENOVATE_BOT_CLIENT_ID }}
           private-key: ${{ secrets.RENOVATE_BOT_PRIVATE_KEY }}

.github/workflows/step-build-wheel.yml

@@ -13,8 +13,8 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6.0.2
         with:
           ref: ${{ inputs.ref }}
           persist-credentials: false
-      - uses: hynek/build-and-inspect-python-package@v2
+      - uses: hynek/build-and-inspect-python-package@v2.17.0

.github/workflows/step-doc-tests.yml

@@ -26,14 +26,14 @@ jobs:
             sphinx_builder: html
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6.0.2
         with:
           persist-credentials: false
           ref: ${{ inputs.ref }}
-      - uses: actions/setup-python@v6
+      - uses: actions/setup-python@v6.2.0
         with:
           python-version: 3.x
-      - uses: astral-sh/setup-uv@v7
+      - uses: astral-sh/setup-uv@v7.6.0
         with:
           activate-environment: true
       - name: Install tmt[docs]
@@ -45,7 +45,7 @@ jobs:
         if: ${{ matrix.builder == 'lint' }}
 
       - name: Cache linkcheck results
-        uses: actions/cache@v5
+        uses: actions/cache@v5.0.5
         with:
           path: docs/_build/linkcheck_cache.json
           key: linkcheck

.github/workflows/step-pre-commit.yml

@@ -19,11 +19,11 @@ jobs:
     - run: |
         wget -O /usr/local/bin/hadolint https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64
         chmod +x /usr/local/bin/hadolint
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v6.0.2
       with:
         persist-credentials: false
         ref: ${{ inputs.ref }}
-    - uses: actions/setup-python@v6
+    - uses: actions/setup-python@v6.2.0
       with:
         # Python 3.9 is for mypy testing the lowest python version
         # Python 3.13 is for ansible-lint hard-coding the python requirement

.github/workflows/step-shellcheck.yml

@@ -19,15 +19,15 @@ jobs:
 
     steps:
       - name: Repository checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v6.0.2
         with:
           fetch-depth: 0
           persist-credentials: false
           ref: ${{ inputs.ref }}
 
       - id: ShellCheck
         name: Differential ShellCheck
-        uses: redhat-plumbers-in-action/differential-shellcheck@v5
+        uses: redhat-plumbers-in-action/differential-shellcheck@v5.5.6
         # Note: we do not use token here to have more control of when to upload the sarif.
         #  It might be incorrect to upload them for PRs.
         #  https://github.com/github/codeql-action/issues/3578
@@ -41,7 +41,7 @@ jobs:
 
       - if: ${{ always() }}
         name: Upload artifact with ShellCheck defects in SARIF format
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v7.0.1
         with:
           name: Differential ShellCheck SARIF
           path: ${{ steps.ShellCheck.outputs.sarif }}
@@ -53,10 +53,10 @@ jobs:
     permissions:
       security-events: write
     steps:
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@v8.0.1
         with:
           name: Differential ShellCheck SARIF
-      - uses: github/codeql-action/upload-sarif@v4
+      - uses: github/codeql-action/upload-sarif@v4.35.3
         with:
           sarif_file: ${{ needs.lint.outputs.sarif }}
     if: ${{ inputs.upload_sarif }}