From 6df412f35602dfb6dd9bf90b0fa9326f0b7432ac Mon Sep 17 00:00:00 2001
From: Timo Behrendt <t.behrendt@t00n.de>
Date: Sat, 14 Feb 2026 18:58:19 +0100
Subject: [PATCH 1/2] ci: pin varios actions to a proper semver version

---
 .gitea/workflows/cd.yaml      | 18 +++++++++---------
 .gitea/workflows/ci.yaml      | 20 ++++++++++----------
 .gitea/workflows/release.yaml |  2 +-
 3 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/.gitea/workflows/cd.yaml b/.gitea/workflows/cd.yaml
index 726315a..14aed4a 100644
--- a/.gitea/workflows/cd.yaml
+++ b/.gitea/workflows/cd.yaml
@@ -41,7 +41,7 @@ jobs:
       has_helmfile: ${{ steps.check-helmfile.outputs.exists }}
       has_k8s: ${{ steps.check-k8s.outputs.exists }}
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Check if helmfile.yaml exists
         id: check-helmfile
         run: |
@@ -68,15 +68,15 @@ jobs:
     needs: detect-service-type
     if: needs.detect-service-type.outputs.has_k8s == 'true'
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ inputs.deploy_branch }}
       - uses: ./.gitea/actions/extract-namespace-from-repo-name
         id: namespace
         with:
           repo: ${{ github.repository }}
-      - uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4
-      - uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4
+      - uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
+      - uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4.0.2
         with:
           method: kubeconfig
           kubeconfig: ${{ secrets.KUBECONFIG }}
@@ -119,16 +119,16 @@ jobs:
       needs.detect-service-type.outputs.has_k8s == 'true' && 
       inputs.skip_helm_deployment != 'true'
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ inputs.deploy_branch }}
       - uses: ./.gitea/actions/extract-namespace-from-repo-name
         id: namespace
         with:
           repo: ${{ github.repository }}
-      - uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4
+      - uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
       - uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
-      - uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4
+      - uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4.0.2
         with:
           method: kubeconfig
           kubeconfig: ${{ secrets.KUBECONFIG }}
@@ -156,14 +156,14 @@ jobs:
             echo "No custom secrets to create"
           fi
       - name: Deploy Helm
-        uses: helmfile/helmfile-action@f64d5db9f8660aae0205b5fcfc56577d44acefab # v2
+        uses: helmfile/helmfile-action@6867d18430fbe251b9c1a498e26b6c45fe6ed9db # v2.2.0
         with:
           helmfile-args: apply
 
   # Summary job that always runs to show what was deployed
   deployment-summary:
     runs-on: ubuntu-latest
-    needs: [detect-service-type, deploy-k8s, deploy-helm]
+    needs: [ detect-service-type, deploy-k8s, deploy-helm ]
     if: always()
     steps:
       - name: Deployment Summary
diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml
index f6e1581..953ca9e 100644
--- a/.gitea/workflows/ci.yaml
+++ b/.gitea/workflows/ci.yaml
@@ -26,7 +26,7 @@ jobs:
       has_helmfile: ${{ steps.check-helmfile.outputs.exists }}
       has_k8s: ${{ steps.check-k8s.outputs.exists }}
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Check if helmfile.yaml exists
         id: check-helmfile
         run: |
@@ -53,18 +53,18 @@ jobs:
     needs: detect-service-type
     if: needs.detect-service-type.outputs.has_k8s == 'true'
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: ./.gitea/actions/extract-namespace-from-repo-name
         id: namespace
         with:
           repo: ${{ github.repository }}
-      - uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4
-      - uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4
+      - uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
+      - uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4.0.2
         with:
           method: kubeconfig
           kubeconfig: ${{ secrets.KUBECONFIG }}
       - name: Validate k8s manifests
-        uses: azure/k8s-lint@6aefe5066f95e73d2b140d8835cc95583b886989 # v3
+        uses: azure/k8s-lint@6aefe5066f95e73d2b140d8835cc95583b886989 # v4.0.1
         with:
           namespace: ${{ steps.namespace.outputs.namespace }}
           lintType: dryrun
@@ -78,26 +78,26 @@ jobs:
       needs.detect-service-type.outputs.has_k8s == 'true' && 
       inputs.skip_helm_validation != 'true'
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: ./.gitea/actions/extract-namespace-from-repo-name
         id: namespace
         with:
           repo: ${{ github.repository }}
-      - uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4
+      - uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
       - uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
-      - uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4
+      - uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4.0.2
         with:
           method: kubeconfig
           kubeconfig: ${{ secrets.KUBECONFIG }}
       - name: Validate Helm
-        uses: helmfile/helmfile-action@37b026692c13757b2852cd7449e6e82eccc345d3 # v2.1.1
+        uses: helmfile/helmfile-action@6867d18430fbe251b9c1a498e26b6c45fe6ed9db # v2.2.0
         with:
           helmfile-args: diff
 
   # Summary job that always runs to show what was validated
   ci-summary:
     runs-on: ubuntu-latest
-    needs: [detect-service-type, validate-k8s, validate-helm]
+    needs: [ detect-service-type, validate-k8s, validate-helm ]
     if: always()
     steps:
       - name: CI Summary
diff --git a/.gitea/workflows/release.yaml b/.gitea/workflows/release.yaml
index 15d144e..a4dab39 100644
--- a/.gitea/workflows/release.yaml
+++ b/.gitea/workflows/release.yaml
@@ -13,7 +13,7 @@ jobs:
     name: Release
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
       - name: Increment tag
-- 
2.49.1


From 972f6151ca1abce546fe714b5b2ecd363e1a0db1 Mon Sep 17 00:00:00 2001
From: Timo Behrendt <t.behrendt@t00n.de>
Date: Sat, 14 Feb 2026 19:16:48 +0100
Subject: [PATCH 2/2] ci: pin varios actions to a proper semver version

---
 .gitea/workflows/ci.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml
index 953ca9e..4cb4128 100644
--- a/.gitea/workflows/ci.yaml
+++ b/.gitea/workflows/ci.yaml
@@ -64,7 +64,7 @@ jobs:
           method: kubeconfig
           kubeconfig: ${{ secrets.KUBECONFIG }}
       - name: Validate k8s manifests
-        uses: azure/k8s-lint@6aefe5066f95e73d2b140d8835cc95583b886989 # v4.0.1
+        uses: azure/k8s-lint@6aefe5066f95e73d2b140d8835cc95583b886989 # v3.0.1
         with:
           namespace: ${{ steps.namespace.outputs.namespace }}
           lintType: dryrun
-- 
2.49.1