From d9f2e950761002ba04c1efb7d0b27e5e706c3f8a Mon Sep 17 00:00:00 2001
From: Michel Loiseleur <97035654+mloiseleur@users.noreply.github.com>
Date: Mon, 30 Mar 2026 09:08:14 +0200
Subject: [PATCH] ci: finish gha pinning (#6327)

---
 .github/workflows/ci.yaml                |  4 ++--
 .github/workflows/codeql-analysis.yaml   |  6 +++---
 .github/workflows/dependency-update.yaml |  2 +-
 .github/workflows/lint.yaml              | 14 +++++++-------
 4 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 67ae52b5e..960a45567 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -45,7 +45,7 @@ jobs:
       run: make go-test
 
     - name: Send coverage
-      uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2
+      uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6
       with:
         file: profile.cov
         format: golang
@@ -59,7 +59,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Coveralls Finished
-      uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2
+      uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6
       with:
         parallel-finished: true
         carryforward: "run-ubuntu-latest,run-macos-latest"
diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml
index cb9cc8839..d4392dce0 100644
--- a/.github/workflows/codeql-analysis.yaml
+++ b/.github/workflows/codeql-analysis.yaml
@@ -7,7 +7,7 @@ on:
     # The branches below must be a subset of the branches above
     branches: [ master ]
   schedule:
-    - cron: '35 13 * * 5'
+  - cron: '35 13 * * 5'
   workflow_dispatch:
 
 jobs:
@@ -33,7 +33,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@b8bb9f28b8d3f992092362369c57161b755dea45 # v4
+      uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -45,4 +45,4 @@ jobs:
         make build
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@b8bb9f28b8d3f992092362369c57161b755dea45 # v4
+      uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
diff --git a/.github/workflows/dependency-update.yaml b/.github/workflows/dependency-update.yaml
index 4226d6c68..eafec90b1 100644
--- a/.github/workflows/dependency-update.yaml
+++ b/.github/workflows/dependency-update.yaml
@@ -18,7 +18,7 @@ jobs:
     if: github.repository == 'kubernetes-sigs/external-dns'
     steps:
       - name: checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       # https://github.com/renovatebot/github-action
       - name: self-hosted renovate
         uses: renovatebot/github-action@0b17c4eb901eca44d018fb25744a50a74b2042df # v46.1.4
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index 0dc0ac492..593b06aca 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -14,7 +14,7 @@ jobs:
     steps:
 
     - name: Check out code into the Go module directory
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
     - name: Lint markdown
       uses: nosborn/github-action-markdown-cli@508d6cefd8f0cc99eab5d2d4685b1d5f470042c1 # v3.5.0
@@ -39,13 +39,13 @@ jobs:
 
     # https://github.com/golangci/golangci-lint-action?tab=readme-ov-file#verify
     - name: Verify linter configuration and Lint go code
-      uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9
+      uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
       with:
         verify: true
         args: --timeout=30m
         version: v2.11.4
 
-    - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
+    - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
     # https://github.com/pre-commit/action
     - name: Verify with pre-commit
       uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
@@ -56,8 +56,8 @@ jobs:
     permissions:
       contents: read
     steps:
-      - name: Check out code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+    - name: Check out code
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: Check Go version consistency across cloudbuild.yaml, go.mod and go.tool.mod
-        run: ./scripts/go-version-consistency.sh
+    - name: Check Go version consistency across cloudbuild.yaml, go.mod and go.tool.mod
+      run: ./scripts/go-version-consistency.sh