From 8fe2da1703c847e2af0be89941ca80b80346ebe6 Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Sun, 31 May 2026 10:38:20 +0100
Subject: [PATCH] Pin resolvable release workflow actions

Replace unresolved major action aliases with existing upstream tags for cosign-installer and Scorecard, and keep workflow contract tests aligned.

Verification: pnpm exec vitest run test/release-workflow.test.ts test/security-workflow.test.ts; pnpm lint; actionlint .github/workflows/release-image.yml .github/workflows/rg-release.yml .github/workflows/scorecard.yml
---
 .github/workflows/release-image.yml | 2 +-
 .github/workflows/rg-release.yml    | 2 +-
 .github/workflows/scorecard.yml     | 8 +++++---
 test/release-workflow.test.ts       | 4 +++-
 test/security-workflow.test.ts      | 8 ++++++--
 5 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/release-image.yml b/.github/workflows/release-image.yml
index 50523e0..e6e3a23 100644
--- a/.github/workflows/release-image.yml
+++ b/.github/workflows/release-image.yml
@@ -59,7 +59,7 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: sigstore/cosign-installer@v4
+      - uses: sigstore/cosign-installer@v4.1.2
 
       - id: release_meta
         run: |
diff --git a/.github/workflows/rg-release.yml b/.github/workflows/rg-release.yml
index 019e6fb..cbe9e67 100644
--- a/.github/workflows/rg-release.yml
+++ b/.github/workflows/rg-release.yml
@@ -48,7 +48,7 @@ jobs:
           platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ inputs.image-ref }}
-      - uses: sigstore/cosign-installer@v4
+      - uses: sigstore/cosign-installer@v4.1.2
       - run: cosign sign --yes ${{ inputs.image-ref }}@${{ steps.build.outputs.digest }}
       - uses: actions/attest-build-provenance@v3
         with:
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 2f5daf0..0fcb4ff 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -10,19 +10,21 @@ on:
 
 permissions:
   contents: read
-  id-token: write
-  security-events: write
 
 jobs:
   scorecard:
     name: openssf-scorecard
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      security-events: write
     timeout-minutes: 15
     steps:
       - uses: actions/checkout@v6
         with:
           persist-credentials: false
-      - uses: ossf/scorecard-action@v3
+      - uses: ossf/scorecard-action@v2.4.3
         with:
           results_file: scorecard-results.sarif
           results_format: sarif
diff --git a/test/release-workflow.test.ts b/test/release-workflow.test.ts
index 4d68722..1dfb0dc 100644
--- a/test/release-workflow.test.ts
+++ b/test/release-workflow.test.ts
@@ -56,7 +56,9 @@ describe("release workflow", () => {
       true
     );
     expect(steps.some((step) => step.uses === "docker/login-action@v4")).toBe(true);
-    expect(steps.some((step) => step.uses === "sigstore/cosign-installer@v4")).toBe(true);
+    expect(
+      steps.some((step) => step.uses === "sigstore/cosign-installer@v4.1.2")
+    ).toBe(true);
     expect(steps.some((step) => step.uses === "anchore/sbom-action@v0")).toBe(true);
     expect(
       steps.some((step) => step.uses === "actions/attest-build-provenance@v3")
diff --git a/test/security-workflow.test.ts b/test/security-workflow.test.ts
index 81ea726..8805312 100644
--- a/test/security-workflow.test.ts
+++ b/test/security-workflow.test.ts
@@ -36,11 +36,15 @@ describe("security and reusable workflows", () => {
     ) as { on: Record<string, unknown>; permissions: Record<string, string>; jobs: Record<string, Record<string, unknown>> };
 
     expect(workflow.on).not.toHaveProperty("pull_request");
-    expect(workflow.permissions).toMatchObject({
+    expect(workflow.permissions).toEqual({ contents: "read" });
+    expect(workflow.jobs.scorecard["runs-on"]).toBe("ubuntu-latest");
+    expect(workflow.jobs.scorecard.permissions).toMatchObject({
       "id-token": "write",
       "security-events": "write"
     });
-    expect(workflow.jobs.scorecard["runs-on"]).toBe("ubuntu-latest");
+    expect(String(JSON.stringify(workflow))).toContain(
+      "ossf/scorecard-action@v2.4.3"
+    );
     expect(String(JSON.stringify(workflow))).toContain("publish_results");
   });