ci(workflows): Pin More Hashes (#258)

.github/workflows/code.yml

@@ -29,7 +29,7 @@ jobs:
         run: go test -timeout 30s -v ./...
 
       - name: Linting
-        uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.0
+        uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
         with:
           version: v1.61.0
 
@@ -40,16 +40,12 @@ jobs:
       - name: Checkout Repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-      - name: Setup Python
-        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
-        with:
-          python-version: "3.x"
-
-      # v24.10.0
       - name: Linting
-        run: |
-          pip install git+https://github.com/psf/black@1b2427a2b785cc4aac97c19bb4b9a0de063f9547 
-          find -name *.py | xargs black --check
+        uses: psf/black@1b2427a2b785cc4aac97c19bb4b9a0de063f9547 # v24.10.0
+        with:
+          # This recursively scans the entire project. Note that `exclude` must be
+          # an empty string: "An empty value means no paths are excluded."
+          options: "--check --exclude=''"
 
   # Inherits workflow permissions.
   jsonnet:
@@ -61,7 +57,7 @@ jobs:
           fetch-depth: 1
 
       - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: 1.22
 

.github/workflows/scorecard.yml

@@ -68,6 +68,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@cf5b0a9041d3c1d336516f1944c96d96598193cc  # v2.19.1
         with:
           sarif_file: results.sarif