Harden and pin GHA actions by digest

[caxu-rh]

Summary by CodeRabbit

• Chores
  • CI and build workflows updated to pin GitHub Actions and helper actions to specific commit SHAs (removing floating major tags).
  • Pinned versions: actions/checkout v6.0.3, actions/setup-go v6.4.0, redhat-actions/buildah-build v2.13, redhat-actions/push-to-registry v2.8.
  • Pinning applied across continuous integration, main build, and release build pipelines to stabilize reproducible builds.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 04fa47df-3182-48cc-83fe-7e1ac9576a5d

📥 Commits

Reviewing files that changed from the base of the PR and between a4914f6 and 5d4c355.

📒 Files selected for processing (3)

• .github/workflows/build-main.yml
• .github/workflows/build-release.yml
• .github/workflows/ci.yml

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/build-release.yml

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/ci.yml
• .github/workflows/build-main.yml

---

Walkthrough

This PR pins third-party GitHub Actions in CI and build workflows to specific commit SHAs instead of floating major-version tags: actions/checkout → v6.0.3, actions/setup-go → v6.4.0, redhat-actions/buildah-build → v2.13, and redhat-actions/push-to-registry → v2.8.

Changes

GitHub Actions Security Pinning

Layer / File(s)	Summary
Core checkout and setup-go pinning .github/workflows/build-main.yml, .github/workflows/build-release.yml, .github/workflows/ci.yml	actions/checkout and actions/setup-go are changed from floating @v6 tags to pinned commit SHAs (v6.0.3 and v6.4.0) across the sanity CI job and both build workflows.
Build and registry push action pinning .github/workflows/build-main.yml, .github/workflows/build-release.yml	redhat-actions/buildah-build (v2.13) and redhat-actions/push-to-registry (v2.8) are changed from generic @v2 tags to pinned commit SHAs for operator and bundle image build/push steps.

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 7

✅ Passed checks (7 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Harden and pin GHA actions by digest' directly and clearly summarizes the main change: pinning GitHub Actions to exact commit SHAs/digests for security hardening.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only modifies GitHub workflow files (.github/workflows/). No Ginkgo test declarations (It, Describe, Context, When) exist or were modified; suite_test.go contains no test cases with dynamic test...
Test Structure And Quality	✅ Passed	PR only modifies GitHub Actions workflow YAML files (.github/workflows/) to pin actions to commit SHAs; no Ginkgo test code (.go test files) was changed, so the test quality check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build-main.yml:
- Around line 16-19: The workflow's setup-go step (the step using
actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c with id: go) currently
leaves the Go module cache enabled; add cache: false to that step in
build-main.yml (and mirror the same change in build-release.yml) so the setup-go
action does not persist or restore a Go/module download cache when building and
publishing images.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c5e8d589-9eef-46d2-bbb9-c9b999b88957

📥 Commits

Reviewing files that changed from the base of the PR and between 857827b and 73493be.

📒 Files selected for processing (3)

• .github/workflows/build-main.yml
• .github/workflows/build-release.yml
• .github/workflows/ci.yml

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build-release.yml:
- Around line 16-19: Remove the unsupported "cache: false" parameter from the
actions/checkout step (the line paired with uses:
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10) so the checkout
action only includes supported keys (e.g., keep persist-credentials: false if
desired); do not add caching here—use language-specific setup/cache actions
(like actions/setup-go or actions/cache) for caching instead.
- Around line 21-24: Add the explicit cache: false setting to the
actions/setup-go step in the workflow to match build-main.yml and prevent cache
poisoning; locate the setup-go invocation (the step using
actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c with id: go and
go-version-file: go.mod) and add cache: false under its with: block so the step
disables the default caching behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 276435a5-7ec5-43ed-9549-3adb9181b0c2

📥 Commits

Reviewing files that changed from the base of the PR and between 73493be and a4914f6.

📒 Files selected for processing (3)

• .github/workflows/build-main.yml
• .github/workflows/build-release.yml
• .github/workflows/ci.yml

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/build-main.yml
• .github/workflows/ci.yml