fix: pin actions/checkout to a specific hash

[chmouel]

Updated the checkout action reference to use a specific commit hash to ensure build reproducibility and improve security.

📝 Description of the Change

👨🏻‍ Linked Jira

🔗 Linked GitHub Issue

Fixes #

🧪 Testing Strategy

• Unit tests
• Integration tests
• End-to-end tests
• Manual testing
• Not Applicable

🤖 AI Assistance

• I have not used any AI assistance for this PR.
• I have used AI assistance for this PR.

If you have used AI assistance, please provide the following details:

Which LLM was used?

• GitHub Copilot
• ChatGPT (OpenAI)
• Claude (Anthropic)
• Cursor
• Gemini (Google)
• Other: ____________

Extent of AI Assistance:

• Documentation and research only
• Unit tests or E2E tests only
• Code generation (parts of the code)
• Full code generation (most of the PR)
• PR description and comments
• Commit message(s)

Important

If the majority of the code in this PR was generated by an AI, please add a Co-authored-by trailer to your commit message.
For example:

Co-authored-by: Gemini gemini@google.com
Co-authored-by: ChatGPT noreply@chatgpt.com
Co-authored-by: Claude noreply@anthropic.com
Co-authored-by: Cursor noreply@cursor.com
Co-authored-by: Copilot Copilot@users.noreply.github.com

**💡You can use the script ./hack/add-llm-coauthor.sh to automatically add
these co-author trailers to your commits.

✅ Submitter Checklist

• 📝 My commit messages are clear, informative, and follow the project's How to write a git commit message guide. The Gitlint linter ensures in CI it's properly validated
• ✨ I have ensured my commit message prefix (e.g., fix:, feat:) matches the "Type of Change" I selected above.
• ♽ I have run make test and make lint locally to check for and fix any
  issues. For an efficient workflow, I have considered installing
  pre-commit and running pre-commit install to
  automate these checks.
• 📖 I have added or updated documentation for any user-facing changes.
• 🧪 I have added sufficient unit tests for my code changes.
• 🎁 I have added end-to-end tests where feasible. See README for more details.
• 🔎 I have addressed any CI test flakiness or provided a clear reason to bypass it.
• If adding a provider feature, I have filled in the following and updated the provider documentation:
  • GitHub App
  • GitHub Webhook
  • Gitea/Forgejo
  • GitLab
  • Bitbucket Cloud
  • Bitbucket Data Center

[pipelines-as-code]

🔍 PR Lint Feedback

Note: This automated check helps ensure your PR follows our contribution guidelines.

⚠️ Items that need attention:

🎫 Jira reference

Add a Jira reference in the description using one of the following formats:

• https://issues.redhat.com/browse/SRVKP-<number>

If no SRVKP ticket exists yet, link a GitHub issue instead (e.g., Fixes #123).
Minor housekeeping PRs without Jira coverage can skip this after confirming with reviewers.

---

🤖 AI attribution

The following commits lack an explicit AI attribution footer:

• f29428b fix: pin actions/checkout to a specific hash

If no AI assistance was used for a commit, you can ignore this warning.
Otherwise add an Assisted-by: or Co-authored-by: footer referencing the AI used.

---

ℹ️ Next Steps

• Review and address the items above
• Push new commits to update this PR
• This comment will be automatically updated when issues are resolved

🔧 Admin Tools (click to expand)

Automated Issue/Ticket Creation:

• /issue-create - Generate a GitHub issue from this PR content using AI
• /jira-create - Create a SRVKP Jira ticket from this PR content using AI

⚠️ Important: Always review and edit generated content before finalizing tickets/issues.
The AI-generated content should be used as a starting point and may need adjustments.

These commands are available to maintainers and will post the generated content as PR comments for review.

_{🤖 This feedback was generated automatically by the PR CI system}

[chmouel]

meging to get the tektoncd/ mirror test going since it requires pinned sha

[chmouel]

% grep uses .github/workflows/*
.github/workflows/container.yaml:        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
.github/workflows/container.yaml:        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
.github/workflows/container.yaml:      - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
.github/workflows/e2e.yaml:      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
.github/workflows/e2e.yaml:        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
.github/workflows/e2e.yaml:      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
.github/workflows/e2e.yaml:        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
.github/workflows/e2e.yaml:      - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
.github/workflows/e2e.yaml:        uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
.github/workflows/e2e.yaml:        uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
.github/workflows/e2e.yaml:        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
.github/workflows/e2e.yaml:        uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3
.github/workflows/e2e.yaml:        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
.github/workflows/e2e.yaml:      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
.github/workflows/e2e.yaml:        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0

% grep uses .github/workflows/*|sed 's/.*uses: //'| sed 's/@.*//'|sort -u
actions/cache
actions/checkout
actions/download-artifact
actions/github-script
actions/setup-go
actions/upload-artifact
jaxxstorm/action-install-gh-release
ko-build/setup-ko
mxschmitt/action-tmate

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.