From 1a57cd126a848020bd8b01b4f36d1bbcc6826bc4 Mon Sep 17 00:00:00 2001
From: Giovanni007 <giovanni.fertuso@hyland.com>
Date: Tue, 21 Nov 2023 16:03:01 +0000
Subject: [PATCH 1/4] AAE-18110 - Add pre-checks job

---
 .github/workflows/main.yml | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 16bdaa5c..ef9925e7 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -25,26 +25,28 @@ env:
 
 jobs:
 
-  check-ext-build:
-    name: Check dependabot/external build
+  pre-checks:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: Activiti/Activiti/.github/actions/check-ext-build@8.0.0-alpha.10
-
-  pre-commit:
-    needs: check-ext-build
-    runs-on: ubuntu-latest
-    steps:
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-helm-docs@v3.2.1
-      - uses: bridgecrewio/checkov-action@v12.1839.0
+      - name: Check dependabot build
+        uses: Activiti/Activiti/.github/actions/check-ext-build@8.0.0-alpha.10
+      - name: Setup Helm Docs
+        uses: Alfresco/alfresco-build-tools/.github/actions/setup-helm-docs@v3.2.1
+      - name: Run Checkov
+        uses: bridgecrewio/checkov-action@v12.1839.0
         with:
           framework: kubernetes
-      - uses: Alfresco/alfresco-build-tools/.github/actions/pre-commit@v3.2.1
+      - name: pre-commit
+        uses: Alfresco/alfresco-build-tools/.github/actions/pre-commit@v3.8.0
+        with:
+          skip_checkout: true
+      - name: Ensure SHA pinned actions
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@f32435541e24cd6a4700a7f52bb2ec59e80603b1 # v2.1.4
 
   build:
     runs-on: ubuntu-latest
-    needs: pre-commit
+    needs: pre-checks
     steps:
       - uses: actions/checkout@v4
 

From b80c048aa8a7ffd66aa5a22540db3a7d3d8d8b4a Mon Sep 17 00:00:00 2001
From: Giovanni007 <giovanni.fertuso@hyland.com>
Date: Tue, 21 Nov 2023 16:11:00 +0000
Subject: [PATCH 2/4] AAE-18110 - Use pinned SHA

---
 .github/workflows/main.yml | 32 ++++++++++++++++----------------
 .github/workflows/rc.yml   | 10 +++++-----
 2 files changed, 21 insertions(+), 21 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index ef9925e7..133f0f57 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -28,17 +28,17 @@ jobs:
   pre-checks:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Check dependabot build
-        uses: Activiti/Activiti/.github/actions/check-ext-build@8.0.0-alpha.10
+        uses: Activiti/Activiti/.github/actions/check-ext-build@4db084fcbb13a288f3b66ac08fc50a5ab7f144ed # 8.0.0-alpha.10
       - name: Setup Helm Docs
-        uses: Alfresco/alfresco-build-tools/.github/actions/setup-helm-docs@v3.2.1
+        uses: Alfresco/alfresco-build-tools/.github/actions/setup-helm-docs@3741d4445541db169728841ebedb8725b51f0b45 # v3.2.1
       - name: Run Checkov
-        uses: bridgecrewio/checkov-action@v12.1839.0
+        uses: bridgecrewio/checkov-action@e1bb78184f5dd3690fb1089d6c4f51295f9dff48 # v12.1839.0
         with:
           framework: kubernetes
       - name: pre-commit
-        uses: Alfresco/alfresco-build-tools/.github/actions/pre-commit@v3.8.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/pre-commit@9cf7c9d178e9ab74bf533217febe4dafe73247f4 # v3.8.0
         with:
           skip_checkout: true
       - name: Ensure SHA pinned actions
@@ -48,10 +48,10 @@ jobs:
     runs-on: ubuntu-latest
     needs: pre-checks
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Build
-        uses: Alfresco/alfresco-build-tools/.github/actions/helm-build-chart@v3.2.1
+        uses: Alfresco/alfresco-build-tools/.github/actions/helm-build-chart@3741d4445541db169728841ebedb8725b51f0b45 # v3.2.1
         with:
           chart-dir: ${{ env.CHART_DIR }}
 
@@ -67,23 +67,23 @@ jobs:
     outputs:
       version: ${{ steps.calculate-next-internal-version.outputs.next-prerelease }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Parse next release
         id: helm-parse-next-release
-        uses: Alfresco/alfresco-build-tools/.github/actions/helm-parse-next-release@v3.2.1
+        uses: Alfresco/alfresco-build-tools/.github/actions/helm-parse-next-release@3741d4445541db169728841ebedb8725b51f0b45 # v3.2.1
         with:
           chart-dir: ${{ env.CHART_DIR }}
 
       - id: calculate-next-internal-version
         name: Calculate next internal release
-        uses: Alfresco/alfresco-build-tools/.github/actions/calculate-next-internal-version@v3.2.1
+        uses: Alfresco/alfresco-build-tools/.github/actions/calculate-next-internal-version@3741d4445541db169728841ebedb8725b51f0b45 # v3.2.1
         with:
           next-version: ${{ steps.helm-parse-next-release.outputs.next-release }}
 
       - id: helm-release-and-publish
         name: Release and publish helm chart
-        uses: Alfresco/alfresco-build-tools/.github/actions/helm-release-and-publish@v3.2.1
+        uses: Alfresco/alfresco-build-tools/.github/actions/helm-release-and-publish@3741d4445541db169728841ebedb8725b51f0b45 # v3.2.1
         with:
           version: ${{ steps.calculate-next-internal-version.outputs.next-prerelease }}
           chart-dir: ${{ env.CHART_DIR }}
@@ -103,15 +103,15 @@ jobs:
       VERSION: ${{ needs.publish.outputs.version }}
       DEVELOPMENT_BRANCH: ${{ github.ref_name }}
     steps:
-      - uses: Activiti/activiti-scripts/.github/actions/wait-for-chart@develop
+      - uses: Activiti/activiti-scripts/.github/actions/wait-for-chart@000995bdf3eae49f78ff39c462226208039ef1a8 # 8.1.0
         with:
           chart-name: ${{ env.CHART_NAME }}
           version: ${{ env.VERSION }}
           helm-repo-name:  ${{ env.HELM_REPO_NAME }}
           helm-repo-url: ${{ env.HELM_REPO_BASE_URL }}
-      - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-helm-docs@v3.2.1
-      - uses: Alfresco/alfresco-build-tools/.github/actions/jx-updatebot-pr@v3.2.1
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-helm-docs@3741d4445541db169728841ebedb8725b51f0b45 # v3.2.1
+      - uses: Alfresco/alfresco-build-tools/.github/actions/jx-updatebot-pr@3741d4445541db169728841ebedb8725b51f0b45 # v3.2.1
         env:
           GH_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
         with:
@@ -131,7 +131,7 @@ jobs:
     if: always() && failure() && github.event_name == 'push'
     steps:
       - name: Slack Notification
-        uses: Alfresco/alfresco-build-tools/.github/actions/send-slack-notification@v3.2.1
+        uses: Alfresco/alfresco-build-tools/.github/actions/send-slack-notification@3741d4445541db169728841ebedb8725b51f0b45 # v3.2.1
         with:
           channel-id: 'eng-hxp-studio-activiti-gh-notifs'
           token: ${{ secrets.SLACK_NOTIFICATION_BOT_TOKEN }}
diff --git a/.github/workflows/rc.yml b/.github/workflows/rc.yml
index 97f6841c..f0259ed3 100644
--- a/.github/workflows/rc.yml
+++ b/.github/workflows/rc.yml
@@ -20,17 +20,17 @@ jobs:
     env:
       VERSION: ${{ github.ref_name }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - id: helm-package-chart
         name: Package Helm chart
-        uses: Alfresco/alfresco-build-tools/.github/actions/helm-package-chart@v3.2.1
+        uses: Alfresco/alfresco-build-tools/.github/actions/helm-package-chart@3741d4445541db169728841ebedb8725b51f0b45 # v3.2.1
         with:
           chart-dir: ${{ env.CHART_DIR }}
 
       - id: helm-publish-chart
         name: Publish Helm chart
-        uses: Alfresco/alfresco-build-tools/.github/actions/helm-publish-chart@v3.2.1
+        uses: Alfresco/alfresco-build-tools/.github/actions/helm-publish-chart@3741d4445541db169728841ebedb8725b51f0b45 # v3.2.1
         with:
           chart-package: ${{ steps.helm-package-chart.outputs.package-file-path }}
           helm-charts-repo: ${{ env.HELM_REPO }}
@@ -40,7 +40,7 @@ jobs:
           token: ${{ secrets.BOT_GITHUB_TOKEN }}
           git-username: ${{ secrets.BOT_GITHUB_USERNAME }}
 
-      - uses: Activiti/activiti-scripts/.github/actions/wait-for-chart@develop
+      - uses: Activiti/activiti-scripts/.github/actions/wait-for-chart@000995bdf3eae49f78ff39c462226208039ef1a8 # 8.1.0
         with:
           chart-name: ${{ env.CHART_NAME }}
           version: ${{ env.VERSION }}
@@ -54,7 +54,7 @@ jobs:
     if: always() && failure() && github.event_name == 'push'
     steps:
       - name: Slack Notification
-        uses: Alfresco/alfresco-build-tools/.github/actions/send-slack-notification@v3.2.1
+        uses: Alfresco/alfresco-build-tools/.github/actions/send-slack-notification@3741d4445541db169728841ebedb8725b51f0b45 # v3.2.1
         with:
           channel-id: 'eng-hxp-studio-releases-gh-notifs'
           token: ${{ secrets.SLACK_NOTIFICATION_BOT_TOKEN }}

From f3988dfd4b61a68b34199c93821d615fdf8f6a2d Mon Sep 17 00:00:00 2001
From: Giovanni007 <giovanni.fertuso@hyland.com>
Date: Thu, 23 Nov 2023 09:57:18 +0000
Subject: [PATCH 3/4] Update actions [skip ci]

---
 .github/workflows/main.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 133f0f57..41be41de 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -38,11 +38,11 @@ jobs:
         with:
           framework: kubernetes
       - name: pre-commit
-        uses: Alfresco/alfresco-build-tools/.github/actions/pre-commit@9cf7c9d178e9ab74bf533217febe4dafe73247f4 # v3.8.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/pre-commit@8c2a3691aa49cd105f62c2983cda3089b82afe89 # v4.0.0
         with:
           skip_checkout: true
       - name: Ensure SHA pinned actions
-        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@f32435541e24cd6a4700a7f52bb2ec59e80603b1 # v2.1.4
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b35f285b9bb7e80de0967367cee66d3b6d50ceca # v3.0.1
 
   build:
     runs-on: ubuntu-latest

From 7d203bcd22711e0f80cb1e7a10a77d77677fb17c Mon Sep 17 00:00:00 2001
From: Giovanni007 <giovanni.fertuso@hyland.com>
Date: Thu, 23 Nov 2023 10:32:36 +0000
Subject: [PATCH 4/4] Trigger pipeline