chore(github): harden workflows and bump tool versions (#182)

moritzzimmer · claude · web-flow · commit 2e61a071ffe0 · 2026-03-03T14:02:15.000+01:00
Co-authored-by: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/pr-title.yaml b/.github/workflows/pr-title.yaml
@@ -7,12 +7,15 @@ on:
       - edited
       - synchronize
 
+permissions:
+  pull-requests: read
+
 jobs:
   main:
     name: validate
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@v6
+      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 #v6.1.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml
@@ -3,11 +3,15 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v10
+      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f #v10.2.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
 
diff --git a/.github/workflows/static-checks.yaml b/.github/workflows/static-checks.yaml
@@ -26,7 +26,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
 
       - name: Get Terraform version
         uses: clowdhaus/terraform-min-max@a86951cbe89f4d15caec805f36aa1dd68863ae32 #v2.1.0
@@ -47,12 +47,12 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
 
       - name: pre-commit ${{ matrix.version }}
         uses: clowdhaus/terraform-composite-actions/pre-commit@462243b714d762cbcac6732098e9fdb4ab236cb7 #v1.14.0
         with:
           terraform-version: ${{ matrix.version }}
           install-trivy: true
-          trivy-version: '0.67.0'
+          trivy-version: '0.69.2'
           args: '--all-files --color always --show-diff-on-failure --verbose'
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.101.0
+    rev: v1.105.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate
diff --git a/.tflint.hcl b/.tflint.hcl
@@ -4,7 +4,7 @@ config {
 
 plugin "aws" {
   enabled = true
-  version = "0.42.0"
+  version = "0.45.0"
   source  = "github.com/terraform-linters/tflint-ruleset-aws"
 }
 

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ config {`
`4`	`4`
`5`	`5`	`plugin "aws" {`
`6`	`6`	`enabled = true`
`7`		`- version = "0.42.0"`
	`7`	`+ version = "0.45.0"`
`8`	`8`	`source = "github.com/terraform-linters/tflint-ruleset-aws"`
`9`	`9`	`}`
`10`	`10`