[BUGFIX] sonarcloud security hotspot: use hashes instead of release tags

Gonzalo Diaz · Gonzalo Diaz · commit e6560216bc25 · 2025-09-07T21:28:25.000-03:00
diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
@@ -25,8 +25,10 @@ jobs:
       - uses: actions/checkout@v5
         with:
           fetch-depth: 0
-      - uses: gitleaks/gitleaks-action@v2
+      # yamllint disable rule:line-length
+      - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           # Only required for Organizations, not personal accounts.
           # GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}}
+          # yamllint enable rule:line-length
diff --git a/.github/workflows/rust-coverage.yml b/.github/workflows/rust-coverage.yml
@@ -20,7 +20,7 @@ jobs:
       - name: Install Rust
         run: rustup update stable
       - name: Install cargo-llvm-cov
-        uses: taiki-e/install-action@cargo-llvm-cov
+        uses: taiki-e/install-action@7a9da991c71dfd905b2ee8252a9ce162f176dc6f
       - name: Install Clippy
         run: rustup component add clippy
       - name: Install cargo-sonar and run Clippy
@@ -59,12 +59,14 @@ jobs:
         with:
           name: coverage-report
 
+      # yamllint disable rule:line-length
       - name: Upload coverage reports to Codecov with GitHub Action
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5
         with:
           files: lcov.info
           token: ${{ secrets.CODECOV_TOKEN }} # required
           verbose: true # optional (default = false)
+          # yamllint enable rule:line-length
 
   sonarqube:
     name: SonarQube
@@ -80,12 +82,14 @@ jobs:
         uses: actions/download-artifact@v5
         with:
           name: coverage-report
+      # yamllint disable rule:line-length
       - name: SonarCloud Scan
-        uses: SonarSource/sonarqube-scan-action@master
+        uses: SonarSource/sonarqube-scan-action@1a6d90ebcb0e6a6b1d87e37ba693fe453195ae25 # v5
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         with:
           args: >
             -Dsonar.externalIssuesReportPaths=sonar-issues.json
             -Dsonar.rust.clippy.reportPaths=my-clippy-report.json
+      # yamllint enable rule:line-length
