chore: add CodeQL recommendations (#36)

* chore: pin action to digest in CI workflows and add permissions

* chore: update Go version to 1.23.6 in go.mod

.github/workflows/ci.yaml

@@ -2,7 +2,10 @@ name: ci
 
 on:
   pull_request:
-      branches: [main]
+    branches: [main]
+
+permissions:
+  contents: read
 
 env:
   GO_VERSION: '1.23.6'
@@ -13,12 +16,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/[email protected]
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
         with:
           fetch-depth: 0
 
       - name: Set up Go
-        uses: actions/[email protected]
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 #v5.3.0
         with:
           go-version: ${{ env.GO_VERSION }}
 
@@ -29,7 +32,7 @@ jobs:
           git diff --exit-code go.sum
 
       - name: lint
-        uses: golangci/[email protected]
+        uses: golangci/golangci-lint-action@0adbc47a5910e47adb692df88187ec8c73c76778 #v6.4.0
         with:
           version: latest
           args: --issues-exit-code=1  --config=.golangci.yml
@@ -40,17 +43,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/[email protected]
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
         with:
           fetch-depth: 0
 
       - name: Set up Go
-        uses: actions/[email protected]
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 #v5.3.0
         with:
           go-version: ${{ env.GO_VERSION }}
 
       - name: Build with Goreleaser
-        uses: goreleaser/[email protected]
+        uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf #v6.1.0
         with:
           distribution: goreleaser
           version: '~> v2'
@@ -62,17 +65,17 @@ jobs:
     runs-on: windows-latest
     steps:
       - name: Checkout
-        uses: actions/[email protected]
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
         with:
           fetch-depth: 0
 
       - name: Set up Go
-        uses: actions/[email protected]
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 #v5.3.0
         with:
           go-version: ${{ env.GO_VERSION }}
 
       - name: Run GoReleaser
-        uses: goreleaser/[email protected]
+        uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf #v6.1.0
         with:
           distribution: goreleaser
           version: '~> v2'

.github/workflows/goreleaser.yaml

@@ -18,23 +18,23 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
         with:
           fetch-depth: 0
 
       - name: Fetch all tags
         run: git fetch --force --tags
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 #v5.3.0
         with:
           go-version: ${{ env.GO_VERSION }}
 
       - name: Download Syft
-        uses: anchore/sbom-action/download-syft@v0
+        uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 #v0.18.0
 
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf #v6.1.0
         with:
           distribution: goreleaser
           version: '~> v2'
@@ -49,22 +49,22 @@ jobs:
     runs-on: windows-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
         with:
           fetch-depth: 0
 
       - name: Fetch all tags
         run: git fetch --force --tags
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 #v5.3.0
         with:
           go-version: ${{ env.GO_VERSION }}
       - name: Download Syft
-        uses: anchore/sbom-action/download-syft@v0
+        uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 #v0.18.0
 
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf #v6.1.0
         with:
           distribution: goreleaser
           version: '~> v2'

go.mod

@@ -1,6 +1,6 @@
 module github.com/whiteducksoftware/azctx
 
-go 1.23
+go 1.23.6
 
 require (
 	github.com/Masterminds/sprig/v3 v3.3.0