From 216482e3c49631e6a519d91cf7731abf857e29ff Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon.deziel@canonical.com>
Date: Wed, 9 Oct 2024 10:11:33 -0400
Subject: [PATCH 1/7] github: pin actions/upload-artifact@v to known working
 SHA

This version properly handles relative symlinks.

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
---
 .github/workflows/tests.yml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index d93a4fac8f9f..bcc106044652 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -62,7 +62,7 @@ jobs:
         if: github.event_name == 'pull_request'
 
       - name: Upload artifact with ShellCheck defects in SARIF format
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097  # v4.4.2
         with:
           name: Differential ShellCheck SARIF
           path: ${{ steps.ShellCheck.outputs.sarif }}
@@ -194,14 +194,14 @@ jobs:
           sudo --preserve-env=CGO_CFLAGS,CGO_LDFLAGS,CGO_LDFLAGS_ALLOW,GOCOVERDIR,LD_LIBRARY_PATH LD_LIBRARY_PATH=${LD_LIBRARY_PATH} env "PATH=${PATH}" make check-unit
 
       - name: Upload coverage data
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097  # v4.4.2
         with:
           name: coverage-unit
           path: ${{env.GOCOVERDIR}}
         if: env.GOCOVERDIR != ''
 
       - name: Upload system test dependencies
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097  # v4.4.2
         with:
           name: system-test-deps
           path: |
@@ -339,7 +339,7 @@ jobs:
           sudo --preserve-env=PATH,GOPATH,GOCOVERDIR,GITHUB_ACTIONS,LXD_VERBOSE,LXD_BACKEND,LXD_CEPH_CLUSTER,LXD_CEPH_CEPHFS,LXD_CEPH_CEPHOBJECT_RADOSGW,LXD_OFFLINE,LXD_SKIP_TESTS,LXD_REQUIRED_TESTS, LXD_BACKEND=${{ matrix.backend }} ./main.sh ${{ matrix.suite }}
 
       - name: Upload coverage data
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097  # v4.4.2
         with:
           name: coverage-${{ matrix.go }}-${{ matrix.suite }}-${{ matrix.backend }}
           path: ${{env.GOCOVERDIR}}
@@ -507,7 +507,7 @@ jobs:
           go test -v ./shared/...
 
       - name: Upload lxc client artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097  # v4.4.2
         continue-on-error: true
         with:
           name: lxd-clients-${{ runner.os }}
@@ -560,7 +560,7 @@ jobs:
 
       - name: Upload documentation artifacts
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097  # v4.4.2
         with:
           name: documentation
           path: doc/_build

From 8a2c4350551293becc492f5dc6c39a0ba4423df1 Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon.deziel@canonical.com>
Date: Wed, 9 Oct 2024 10:11:46 -0400
Subject: [PATCH 2/7] github: pin actions/download-artifact@v4

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
---
 .github/workflows/tests.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index bcc106044652..3170fabf5954 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -308,7 +308,7 @@ jobs:
           sudo apt-get clean
 
       - name: Download system test dependencies
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16  # v4.1.8
         with:
           name: system-test-deps
           merge-multiple: true
@@ -377,14 +377,14 @@ jobs:
           go-version: 1.22.x
 
       - name: Download coverage data
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16  # v4.1.8
         with:
           pattern: coverage-*
           path: ${{env.GOCOVERDIR}}
           merge-multiple: true
 
       - name: Download system test dependencies
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16  # v4.1.8
         with:
           name: system-test-deps
           merge-multiple: true

From f2be72231e3b94da9c428318ecac37077848e4cf Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon.deziel@canonical.com>
Date: Wed, 9 Oct 2024 10:17:14 -0400
Subject: [PATCH 3/7] github: pin actions/checkout@v4

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
---
 .github/workflows/codeql.yml     |  2 +-
 .github/workflows/security.yml   |  4 ++--
 .github/workflows/tests-snap.yml |  2 +-
 .github/workflows/tests.yml      | 12 ++++++------
 .github/workflows/triage.yml     |  2 +-
 5 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 0a2b0361e9a6..b5fd32fdbbe5 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -55,7 +55,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index dfc773c54c77..ae9469b87ea1 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -23,7 +23,7 @@ jobs:
     if: ${{ ( github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' ) && github.ref_name == 'main' && github.repository == 'canonical/lxd' }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
         with:
           ref: main
 
@@ -73,7 +73,7 @@ jobs:
           - "4.0"
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
         with:
           ref: ${{ (matrix.version == 'latest' && 'main') || format('stable-{0}', matrix.version) }}
 
diff --git a/.github/workflows/tests-snap.yml b/.github/workflows/tests-snap.yml
index 7490161d4907..eadd1de022fb 100644
--- a/.github/workflows/tests-snap.yml
+++ b/.github/workflows/tests-snap.yml
@@ -9,4 +9,4 @@ jobs:
   test-self-hosted-large-container:
     runs-on: [self-hosted, linux, X64, jammy, large]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 3170fabf5954..8d8e9feb5bcd 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -39,7 +39,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
         with:
           # A non-shallow clone is needed for the Differential ShellCheck
           fetch-depth: 0
@@ -240,7 +240,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
 
       - name: Tune disk performance
         uses: ./.github/actions/tune-disk-performance
@@ -357,7 +357,7 @@ jobs:
     if: ${{ ( github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' ) && github.ref_name == 'main' && github.repository == 'canonical/lxd' }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
         with:
           # A non-shallow clone is needed for the Differential ShellCheck
           fetch-depth: 0
@@ -439,7 +439,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
 
       - name: Install Go (${{ matrix.go }})
         uses: actions/setup-go@v5
@@ -518,7 +518,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
 
       - name: Install Go (1.22)
         uses: actions/setup-go@v5
@@ -572,7 +572,7 @@ jobs:
     if: ${{ github.repository == 'canonical/lxd' && github.event_name == 'push' && github.actor != 'dependabot[bot]' }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
 
       - name: Setup Launchpad SSH access
         env:
diff --git a/.github/workflows/triage.yml b/.github/workflows/triage.yml
index 092a8d4fa562..f3f896f85c77 100644
--- a/.github/workflows/triage.yml
+++ b/.github/workflows/triage.yml
@@ -30,7 +30,7 @@ jobs:
       issues: write
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
       - name: Notify
         uses: iamfj/action-label-notification@v1.0.0
         with:

From a6d1b2f702d7137bf5c3bc13a8bee45b83089b07 Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon.deziel@canonical.com>
Date: Wed, 9 Oct 2024 10:21:16 -0400
Subject: [PATCH 4/7] github: pin actions/cache/{save,restore}@v4

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
---
 .github/workflows/security.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index ae9469b87ea1..38a7d41cd7d6 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -47,7 +47,7 @@ jobs:
           --severity LOW,MEDIUM,HIGH,CRITICAL --output trivy-lxd-repo-scan-results.sarif .
 
       - name: Cache Trivy vulnerability database
-        uses: actions/cache/save@v4
+        uses: actions/cache/save@3624ceb22c1c5a301c8db4169662070a689d9ea8  # v4.1.1
         with:
           path: /home/runner/vuln-cache
           key: trivy-cache-${{ github.run_id }}
@@ -88,7 +88,7 @@ jobs:
           sudo apt-get install trivy
 
       - name: Restore cached Trivy vulnerability database
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@3624ceb22c1c5a301c8db4169662070a689d9ea8  # v4.1.1
         with:
           path: /home/runner/vuln-cache
           key: trivy-cache-${{ github.run_id }}

From 3e281bb0adfc5f41d65145e966e6fe4fd2f47261 Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon.deziel@canonical.com>
Date: Wed, 9 Oct 2024 10:22:22 -0400
Subject: [PATCH 5/7] github: pin actions/labeler@v5

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
---
 .github/workflows/triage.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/triage.yml b/.github/workflows/triage.yml
index f3f896f85c77..2208228dfea0 100644
--- a/.github/workflows/triage.yml
+++ b/.github/workflows/triage.yml
@@ -18,7 +18,7 @@ jobs:
     name: PR labels
     runs-on: ubuntu-22.04
     steps:
-    - uses: actions/labeler@v5
+    - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9  # v5.0.0
       with:
         repo-token: "${{ secrets.GITHUB_TOKEN }}"
         sync-labels: true

From cd0ac3e2f1450953d2efd9283e1bb464ee694fd3 Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon.deziel@canonical.com>
Date: Wed, 9 Oct 2024 10:23:09 -0400
Subject: [PATCH 6/7] github: pin actions/dependency-review-action@v4

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
---
 .github/workflows/tests.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 8d8e9feb5bcd..5fe407b55375 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -48,7 +48,7 @@ jobs:
         uses: ./.github/actions/tune-disk-performance
 
       - name: Dependency Review
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c  # v4.3.4
         if: github.event_name == 'pull_request'
 
       # XXX: `make static-analysis` also run shellcheck but this one provides

From 2f2a300ab28589393258c81616508c43d1171409 Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon.deziel@canonical.com>
Date: Wed, 9 Oct 2024 10:24:21 -0400
Subject: [PATCH 7/7] github: pin actions/setup-go@v5

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
---
 .github/workflows/tests.yml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 5fe407b55375..14fbb26cafd6 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -69,7 +69,7 @@ jobs:
         if: github.event_name == 'pull_request'
 
       - name: Install Go (1.22)
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32  # v5.0.2
         with:
           go-version: 1.22.x
 
@@ -252,7 +252,7 @@ jobs:
         uses: ./.github/actions/disable-docker
 
       - name: Install Go (${{ matrix.go }})
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32  # v5.0.2
         with:
           go-version: ${{ matrix.go }}
 
@@ -372,7 +372,7 @@ jobs:
         uses: ./.github/actions/disable-docker
 
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32  # v5.0.2
         with:
           go-version: 1.22.x
 
@@ -442,7 +442,7 @@ jobs:
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
 
       - name: Install Go (${{ matrix.go }})
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32  # v5.0.2
         with:
           go-version: ${{ matrix.go }}
 
@@ -521,7 +521,7 @@ jobs:
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
 
       - name: Install Go (1.22)
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32  # v5.0.2
         with:
           go-version: 1.22.x
 
@@ -590,7 +590,7 @@ jobs:
           ssh-keygen -qlF git.launchpad.net | grep -xF 'git.launchpad.net RSA SHA256:UNOzlP66WpDuEo34Wgs8mewypV0UzqHLsIFoqwe8dYo'
 
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32  # v5.0.2
         with:
           go-version: 1.22.x