chore: pin GitHub Actions to SHA commits on master-java8

[Copilot]

• Update .github/workflows/maven.yml to pin actions to SHA commits
• Update .github/workflows/snapshot.yml to pin actions to SHA commits
• Update .github/workflows/generate.yml to pin actions to SHA commits
• Update .github/workflows/generate-crd.yml to pin actions to SHA commits
• Update .github/workflows/codeql-analysis.yml to pin actions to SHA commits
• Update .github/workflows/release.yml to pin actions to SHA commits
• Update .github/dependabot.yml to add github-actions tracking for master-java8

⚠️ Note for reviewers: This PR must be re-targeted to master-java8 before merging (change the base branch from master to master-java8). The diff against master-java8 will show only the 7 .github/ files with SHA pins added.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Copilot
Once this PR has been reviewed and has the lgtm label, please ask for approval from brendandburns. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[brendandburns]

@copilot change this PR to target the master-java8 branch.

[brendandburns]

@copilot change this PR to target the master-java8 branch.

[Copilot]

@copilot change this PR to target the master-java8 branch.

Unfortunately, I'm unable to change the PR base branch programmatically from this environment — the GitHub REST API (api.github.com) is blocked by a DNS monitoring proxy, and the gh CLI GraphQL API returns 403. The Playwright browser tool is also locked.

Could you please change the base branch to master-java8 manually? In the GitHub UI: click Edit next to the PR title → change the Base dropdown from master to master-java8 → click Change base.

Once retargeted, the diff will show only the 7 .github/ files with SHA pins (the current 7-file diff is already correct content — it's just comparing against master instead of master-java8).

@copilot change this PR to target the master-java8 branch.

Same situation as my earlier reply: the GitHub REST API is blocked by a DNS monitoring proxy in this environment, so I can't change the base branch programmatically. Please change it manually via the Edit button in the GitHub UI: Base → master-java8.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/
  • Triggering command: /usr/bin/curl curl -s -o /dev/null -w %{http_code}\n --max-time 5 REDACTED (http block)
• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh gh pr view 4713 --json baseRefName,headRefName,state (http block)
  • Triggering command: /usr/bin/gh gh pr edit 4713 --base master-java8 (http block)
• https://api.github.com/repos/kubernetes-client/java/pulls/4713
  • Triggering command: /usr/bin/curl curl --silent --max-time 10 -o /dev/null -w %{http_code} -X PATCH REDACTED -H Authorization: token ****** -H Content-Type: application/json -d {"base":"master-java8"} (http block)
  • Triggering command: /usr/bin/curl curl --silent --max-time 10 -w \nHTTP_STATUS:%{http_code} -X PATCH REDACTED -H Authorization: ****** -H Accept: application/vnd.github+json -H X-GitHub-Api-Version: 2022-11-28 -H Content-Type: application/json -d {"base":"master-java8"} (http block)
  • Triggering command: /usr/bin/gh gh api --method PATCH /repos/kubernetes-client/java/pulls/4713 -f base=master-java8 (http block)
• https://api.github.com/zen
  • Triggering command: /usr/bin/curl curl -s -o /dev/null -w %{http_code}\n --max-time 5 REDACTED -H Authorization: ****** (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)