ci(security): resolve security alerts (#12466)

## Motivation

Scorecard has some security alerts that need to be addressed.

## Implementation information

- Pinned git commit hashes for scripts sourced from GitHub repositories
in `mk/dependencies/*.sh` scripts.
- Pinned hashes for some GitHub Actions.
- Added comments to cron schedules for CodeQL and Scorecard GitHub
Actions.
- Removed unnecessary `contents: read` permission in the CodeQL GitHub
Action.

> Changelog: skip

<!--
Uncomment the above section to explicitly set a [`> Changelog:` entry
here](https://github.com/kumahq/kuma/blob/master/CONTRIBUTING.md#submitting-a-patch)?
-->

---------

Signed-off-by: Bart Smykla <[email protected]>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

.github/workflows/_e2e.yaml

@@ -57,7 +57,7 @@ jobs:
           make build
       - run: |
           make -j build/distributions
-      - uses: nick-fields/retry@v3
+      - uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
         id: retry
         with:
           max_attempts: 3

.github/workflows/ci-stability.yaml

@@ -27,7 +27,7 @@ jobs:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.APP_PRIVATE_KEY }}
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           fetch-depth: 0
           token: ${{ steps.github-app-token.outputs.token }}

.github/workflows/codeql.yaml

@@ -2,7 +2,7 @@ name: "CodeQL"
 on:
   workflow_dispatch: {}
   schedule:
-    - cron: '35 3 * * *'
+    - cron: '35 3 * * *' # Runs daily at 3:35 AM UTC
 permissions:
   contents: read
 jobs:
@@ -12,7 +12,6 @@ jobs:
     runs-on: ubuntu-24.04
     permissions:
       actions: read
-      contents: read
       security-events: write
     strategy:
       fail-fast: false

.github/workflows/scorecard.yml

@@ -7,7 +7,7 @@ on:
   # To guarantee Maintained check is occasionally updated. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
   schedule:
-    - cron: '35 3 * * *'
+    - cron: '35 3 * * *' # Runs daily at 3:35 AM UTC
 # Declare default permissions as read only.
 permissions: read-all
 jobs:

mk/dependencies/deps.lock

@@ -1 +1 @@
-650221a6ce7da324ec2e7f61246f2ac54129d9eb
+7480f69e6cbb63f27535ac9fa36463436b11c130

mk/dependencies/golangci-lint.sh

@@ -14,4 +14,4 @@ if [ -e "${golangcilint}" ] && [ "v$(${golangcilint} version --format short)" ==
   echo "golangci-lint ${VERSION} is already installed at ${OUTPUT_BIN_DIR}"
   exit
 fi
-curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${OUTPUT_BIN_DIR}" "${VERSION}"
+curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/e68d278319b6d0a68680e3389bc0576ef39ec02b/install.sh | sh -s -- -b "${OUTPUT_BIN_DIR}" "${VERSION}"

mk/dependencies/helm.sh

@@ -5,7 +5,7 @@ set -e
 OUTPUT_DIR=$1/bin
 VERSION="3.8.2"
 export PATH="$OUTPUT_DIR:$PATH" # install script checks if helm is in your path
-curl --fail --location -s https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | \
+curl --fail --location -s https://raw.githubusercontent.com/helm/helm/ad9768402951f48f61e1ecbea0c1894456d63a2a/scripts/get-helm-3 | \
 	HELM_INSTALL_DIR=${OUTPUT_DIR} DESIRED_VERSION=v${VERSION} USE_SUDO=false bash
 
 CR_VERSION="1.3.0"

mk/dependencies/k3d.sh

@@ -8,7 +8,6 @@ VERSION="5.7.4"
 if [[ $2 == "get-version" ]]; then
   echo ${VERSION}
 else
-  # see https://raw.githubusercontent.com/rancher/k3d/main/install.sh
-  curl --fail --location -s https://raw.githubusercontent.com/rancher/k3d/main/install.sh | \
+  curl --fail --location -s https://raw.githubusercontent.com/rancher/k3d/4709d6adb24b23721f471e667e7301fa673b5efc/install.sh | \
             PATH=${OUTPUT_DIR}:${PATH} TAG=v${VERSION} USE_SUDO="false" K3D_INSTALL_DIR="${OUTPUT_DIR}" bash
 fi