chore(deps): pin dependencies

.github/workflows/automatic-pr-labeler.yaml

@@ -24,11 +24,11 @@ jobs:
     if: (github.event.pull_request.merged == false) && (github.event.pull_request.user.login != 'dependabot[bot]') && (github.event.pull_request.user.login != 'github-actions[bot]')
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: "Execute assign labels"
         id: action-assign-labels
-        uses: mauroalderete/action-assign-labels@v1
+        uses: mauroalderete/action-assign-labels@671a4ca2da0f900464c58b8b5540a1e07133e915 # v1
         with:
           pull-request-number: ${{ github.event.pull_request.number }}
           github-token: ${{ github.token }}

.github/workflows/cleanup-old-maven-pkgs.yml

@@ -43,7 +43,7 @@ jobs:
             echo "**Dry-run**: ${{ github.event.inputs.dry-run || 'false' }}"
             echo "**Debug**: ${{ github.event.inputs.debug || 'false' }}"
         - name: Run Maven Cleanup Action
-          uses: netcracker/qubership-workflow-hub/actions/container-package-cleanup@v2.1.1
+          uses: netcracker/qubership-workflow-hub/actions/container-package-cleanup@6a2de8d62ac5b6998e30f923613c998c263ea9f2 # v2.2.2
           with:
             threshold-days: ${{ github.event.inputs.threshold-days || 14 }}
             included-patterns: ${{ github.event.inputs.included-patterns || '*SNAPSHOT*' }}

.github/workflows/link-checker.yaml

@@ -15,10 +15,10 @@ jobs:
   linkChecker:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Restore lychee cache
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         id: restore-cache
         with:
           path: .lycheecache
@@ -27,7 +27,7 @@ jobs:
 
       - name: Link Checker
         id: lychee
-        uses: lycheeverse/lychee-action@v2
+        uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2
         with:
           args: >-
             './**/*.md'

.github/workflows/maven-deploy.yml

@@ -30,7 +30,7 @@ on:
 jobs:
   maven-deploy:
     name: Maven deploy
-    uses: Netcracker/qubership-core-infra/.github/workflows/generic-maven-build.yaml@v2.2.0
+    uses: Netcracker/qubership-core-infra/.github/workflows/generic-maven-build.yaml@bc2a0bd082147e23b4091616c608a21cc2957728 # v2.4.1
     with:
       maven-command: 'deploy'
       sonar-project-key: ${{ vars.SONAR_PROJECT_KEY }}

.github/workflows/maven-verify.yml

@@ -22,7 +22,7 @@ on:
 jobs:
   maven-verify:
     name: Maven verify
-    uses: Netcracker/qubership-core-infra/.github/workflows/generic-maven-build.yaml@v2.2.0
+    uses: Netcracker/qubership-core-infra/.github/workflows/generic-maven-build.yaml@bc2a0bd082147e23b4091616c608a21cc2957728 # v2.4.1
     with:
       maven-command: 'verify'
       sonar-project-key: ${{ vars.SONAR_PROJECT_KEY }}

.github/workflows/pr-assigner.yml

@@ -22,10 +22,10 @@ jobs:
             exit 0
           fi
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
 
-      - uses: netcracker/qubership-workflow-hub/actions/pr-assigner@5edd67e98d2f0eec5ab77b4deca0e1d481137462 # 2.1.1
+      - uses: netcracker/qubership-workflow-hub/actions/pr-assigner@6a2de8d62ac5b6998e30f923613c998c263ea9f2 # v2.2.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pr-conventional-commits.yaml

@@ -16,6 +16,6 @@ jobs:
     name: Conventional Commits
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
-      - uses: webiny/action-conventional-commits@v1.3.1
+      - uses: webiny/action-conventional-commits@7f91b1595ca1951cdb671ddc9f07a49081ec5b69 # v1.4.2

.github/workflows/pr-lint-title.yaml

@@ -18,6 +18,6 @@ jobs:
     name: Validate PR title
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@v6
+      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6
         env:
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/profanity-filter.yaml

@@ -20,7 +20,7 @@ jobs:
       - name: Scan issue or pull request for profanity
         # Conditionally run the step if the actor isn't a bot
         if: ${{ github.actor != 'dependabot[bot]' && github.actor != 'github-actions[bot]' }}
-        uses: IEvangelist/profanity-filter@10.0
+        uses: IEvangelist/profanity-filter@7d6e0c79ee3d33ae09b5ed0c6e2fa04b9c512e08 # 10.0
         id: profanity-filter
         with:
           token: ${{ secrets.GITHUB_TOKEN }}