[mod] ci: strict(er) exec (#5099)

All actions are pulled using the version hash, versions are handled by
dependabot, and we'll have control over which actions get updated.

Replaces Trivy scanner with Docker Scout, we have recently begun analyzing the
images there, and the action will keep us in sync about the problems on GHCS
dashboard.

1 files changed, 17 insertions, 17 deletions

diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
index 6369f1b7a..27856bbe8 100644
--- a/.github/workflows/container.yml
+++ b/.github/workflows/container.yml
@@ -38,7 +38,7 @@ jobs:
     steps:
       - if: github.repository_owner == 'searxng'
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           persist-credentials: "false"
 
@@ -50,7 +50,7 @@ jobs:
       - if: github.repository_owner == 'searxng'
         name: Check cache apko
         id: cache-apko
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809  # v4.2.4
         with:
           # yamllint disable-line rule:line-length
           key: "apko-${{ steps.date.outputs.date }}-${{ hashFiles('./container/base.yml', './container/base-builder.yml') }}"
@@ -59,7 +59,7 @@ jobs:
 
       - if: github.repository_owner == 'searxng' && steps.cache-apko.outputs.cache-hit != 'true'
         name: Setup cache apko
-        uses: actions/cache@v4
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809  # v4.2.4
         with:
           # yamllint disable-line rule:line-length
           key: "apko-${{ steps.date.outputs.date }}-${{ hashFiles('./container/base.yml', './container/base-builder.yml') }}"
@@ -74,7 +74,7 @@ jobs:
 
       - if: github.repository_owner == 'searxng' && steps.cache-apko.outputs.cache-hit != 'true'
         name: Login to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1  # v3.5.0
         with:
           registry: "ghcr.io"
           username: "${{ github.repository_owner }}"
@@ -130,17 +130,17 @@ jobs:
 
     steps:
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
         with:
           python-version: "${{ env.PYTHON_VERSION }}"
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           persist-credentials: "false"
 
       - name: Setup cache Python
-        uses: actions/cache@v4
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809  # v4.2.4
         with:
           key: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-${{ hashFiles('./requirements*.txt') }}"
           restore-keys: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-"
@@ -148,7 +148,7 @@ jobs:
 
       - name: Restore cache container mounts
         id: cache-container-mounts
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809  # v4.2.4
         with:
           key: "container-mounts-${{ hashFiles('./container/*.dockerfile') }}"
           restore-keys: "container-mounts-"
@@ -166,10 +166,10 @@ jobs:
 
       - if: ${{ matrix.emulation }}
         name: Setup QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392  # v3.6.0
 
       - name: Login to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1  # v3.5.0
         with:
           registry: "ghcr.io"
           username: "${{ github.repository_owner }}"
@@ -183,7 +183,7 @@ jobs:
 
       - if: always()
         name: Save cache container mounts
-        uses: actions/cache/save@v4
+        uses: actions/cache/save@0400d5f644dc74513175e3cd8d07132dd4860809  # v4.2.4
         with:
           key: "container-mounts-${{ hashFiles('./container/*.dockerfile') }}"
           path: |
@@ -210,16 +210,16 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           persist-credentials: "false"
 
       - if: ${{ matrix.emulation }}
         name: Setup QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392  # v3.6.0
 
       - name: Login to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1  # v3.5.0
         with:
           registry: "ghcr.io"
           username: "${{ github.repository_owner }}"
@@ -245,19 +245,19 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           persist-credentials: "false"
 
       - name: Login to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1  # v3.5.0
         with:
           registry: "ghcr.io"
           username: "${{ github.repository_owner }}"
           password: "${{ secrets.GITHUB_TOKEN }}"
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1  # v3.5.0
         with:
           registry: "docker.io"
           username: "${{ secrets.DOCKERHUB_USERNAME }}"