From 9c0831eff94e1b253e7042ad5e686c510f5b92a5 Mon Sep 17 00:00:00 2001
From: "hashicorp-tsccr[bot]"
 <129506189+hashicorp-tsccr[bot]@users.noreply.github.com>
Date: Wed, 21 Jun 2023 16:19:21 +0100
Subject: [PATCH] SEC-090: Automated trusted workflow pinning (2023-04-21)
 (#14387)

* Result of tsccr-helper -pin-all-workflows .

* Update pull-request-size.yml from v1.5.2 to v1.8.1

* Bump uesteibar/reviewer-lottery to v3.1.0 as part of workflow pinning

---------

Co-authored-by: hashicorp-tsccr[bot] <hashicorp-tsccr[bot]@users.noreply.github.com>
Co-authored-by: Sarah French <15078782+SarahFrench@users.noreply.github.com>
---
 .github/workflows/go.yml                    | 4 ++--
 .github/workflows/labeler.yml               | 5 ++---
 .github/workflows/lock.yml                  | 2 +-
 .github/workflows/pull-request-reviewer.yml | 4 ++--
 .github/workflows/pull-request-size.yml     | 2 +-
 .github/workflows/release.yml               | 4 ++--
 .github/workflows/stale.yml                 | 2 +-
 7 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 2d6c64c9602..57c237653db 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -14,10 +14,10 @@ jobs:
     steps:
 
     - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
+      uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
     - name: Set up Go 1.x
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
       with:
         go-version-file: "go.mod"
 
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index ff8c13405de..e5a8ae650df 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -8,9 +8,8 @@ jobs:
   triage:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
-    - uses: github/issue-labeler@e24a3eb6b2e28c8904d086302a2b760647f5f45c # v3.1
-
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+    - uses: github/issue-labeler@cd54a96bcc32e2a890e865b2eceffee3fc458b9d # v3.0
       with:
         repo-token: "${{ secrets.GITHUB_TOKEN }}"
         configuration-path: .github/labeler.yml
diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml
index c1a9736dcae..eacf7e7c6e0 100644
--- a/.github/workflows/lock.yml
+++ b/.github/workflows/lock.yml
@@ -8,7 +8,7 @@ jobs:
   lock:
     runs-on: ubuntu-latest
     steps:
-      - uses: dessant/lock-threads@c1b35aecc5cdb1a34539d14196df55838bb2f836 #v4.0.0
+      - uses: dessant/lock-threads@c1b35aecc5cdb1a34539d14196df55838bb2f836 # v4.0.0
         with:
           github-token: ${{ github.token }}
           issue-comment: >
diff --git a/.github/workflows/pull-request-reviewer.yml b/.github/workflows/pull-request-reviewer.yml
index e52a0ace736..02867fe72db 100644
--- a/.github/workflows/pull-request-reviewer.yml
+++ b/.github/workflows/pull-request-reviewer.yml
@@ -11,7 +11,7 @@ jobs:
     if: ${{ github.actor != 'modular-magician' }}
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - uses: uesteibar/reviewer-lottery@5531ef7fe55d814c8f8fbab12de4ff74d15b41ed
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+    - uses: uesteibar/reviewer-lottery@c291d74388da1cb583aff994b8be945e8eefbcd5 # v3.1.0
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/pull-request-size.yml b/.github/workflows/pull-request-size.yml
index f5e2dc70f9f..c823f1422c6 100644
--- a/.github/workflows/pull-request-size.yml
+++ b/.github/workflows/pull-request-size.yml
@@ -7,7 +7,7 @@ jobs:
     runs-on: ubuntu-latest
     name: Label the PR size
     steps:
-      - uses: codelytv/pr-size-labeler@417e60a06bd915dd3d96ec4aa105f7d753a8f974
+      - uses: codelytv/pr-size-labeler@54ef36785e9f4cb5ecf1949cfc9b00dbb621d761 # v1.8.1
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           xs_max_size: '30'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 750b2efaabf..3cfc78e453b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,7 +12,7 @@ jobs:
   release-notes:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
         with:
           fetch-depth: 0
       - name: Generate Release Notes
@@ -20,7 +20,7 @@ jobs:
           export PREV_TAG=$(git tag --list 'v*' --sort=-version:refname | head -n 2 | tail -n 1)
           export PREV_VERSION=${PREV_TAG//v}
           sed -n -e "1{/# /d;}" -e "2{/^$/d;}" -e "/# $PREV_VERSION/q;p" CHANGELOG.md > release-notes.txt
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: release-notes
           path: release-notes.txt
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index e1d4649f0a1..d80312d1c47 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -7,7 +7,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@99b6c709598e2b0d0841cd037aaf1ba07a4410bd #v5.2.0
+      - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           days-before-stale: 9999