fix(workflow-templates): pin action SHAs and fix security violations

workflow-templates/auto-assign-project-to-issue.yml

@@ -16,6 +16,8 @@ jobs:
           github-token: ${{ secrets.ADD_PROJECT_TO_ISSUE_PAT }}
 
       - name: Log info
+        env:
+          ISSUE_TITLE: ${{ github.event.issue.title }}
         run: |
-          echo "▶ Triggered by issue #${{ github.event.issue.number }}: ${{ github.event.issue.title }}"
-          echo "▶ Added to Project #${{ vars.PROJECT }} (beta)"
+          echo "▶ Triggered by issue #${{ github.event.issue.number }}: $ISSUE_TITLE"
+          echo "▶ Added to Project #${{ vars.PROJECT }} (beta)"

workflow-templates/dev-docker-build-selective.yml

@@ -50,7 +50,6 @@ on:
 
 permissions:
   contents: read
-  packages: write
 
 concurrency:
   group: ${{ github.ref_type == 'branch' && format('build-branch-{0}', github.ref_name) || format('build-{0}', github.sha) }}
@@ -67,15 +66,15 @@ jobs:
       packages: ${{ steps.config.outputs.config }}
       tags: "${{ steps.meta.outputs.result }}"
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           persist-credentials: true
           fetch-depth: 0
 
       - name: Changed Files
         if: github.event_name != 'workflow_dispatch'
         id: changed-files
-        uses: tj-actions/changed-files@v47
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47
         with:
           json: true
           write_output_files: true # .github/outputs/all_changed_files.json

workflow-templates/dev-mvn-docker-build.yml

@@ -74,7 +74,7 @@ jobs:
           java-version: ${{ github.event.inputs.java-version || '21' }}
 
       - name: "Generate metadata"
-        uses: netcracker/qubership-workflow-hub/actions/metadata-action@m5a557213e92e3d22d0292330c4817c82af6704d2 #v2.1.2
+        uses: netcracker/qubership-workflow-hub/actions/metadata-action@e64a1ee2fc2f68ab44a4ef416c27d83ce36ba8e1 # v2.2.1
         id: metadata
 
       - name: "Prepare tags"

workflow-templates/license-header.yml

@@ -55,13 +55,13 @@ jobs:
 
       - name: "Fix License Headers"
         continue-on-error: true
-        uses: apache/skywalking-eyes/header@v0.8.0
+        uses: apache/skywalking-eyes/header@61275cc80d0798a405cb070f7d3a8aaf7cf2c2c1 # v0.8.0
         with:
           mode: ${{ inputs.mode || 'fix' }} # default to fix
 
       - name: "Create Pull Request"
         if: inputs.mode == 'fix' || github.event_name == 'push'
-        uses: peter-evans/create-pull-request@v8.1.1
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: "${{ inputs.commit-message || 'chore: add license headers to source files' }}"

workflow-templates/scout-cves.yml

@@ -8,6 +8,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   scan:
     name: "Scan Docker Image for CVEs"
@@ -23,14 +26,14 @@ jobs:
           persist-credentials: false
 
       - name: "Login to Docker Hub"
-        uses: docker/login-action@v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
         with:
           username: ${{ secrets.DOCKERHUB_USER }}
           password: ${{ secrets.DOCKERHUB_RW_TOKEN }}
 
       - name: "Run Docker Scout CVEs"
         id: scout
-        uses: docker/scout-action@v1
+        uses: docker/scout-action@bacf462e8d090c09660de30a6ccc718035f961e3 # v1
         with:
           command: cves
           image: ${{ inputs.image }}