step-security · stepsecurity-int · Apr 17, 2025
diff --git a/.github/workflows/canary.yml b/.github/workflows/canary.yml
@@ -37,13 +37,13 @@ jobs:
         rc: true
 
     - name: Canary test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:e21fc4db56cb2953202c27ce8056cfb550322fde4f1dd4711c96e7ab2ff7f170
       env:
         PAT: ${{ secrets.PAT }}
         canary: true
 
     - name: Canary TLS test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:e21fc4db56cb2953202c27ce8056cfb550322fde4f1dd4711c96e7ab2ff7f170
       env:
         PAT: ${{ secrets.PAT }}
         canary-tls: true
diff --git a/.github/workflows/code-review.yml b/.github/workflows/code-review.yml
@@ -20,4 +20,4 @@ jobs:
             int.api.stepsecurity.io:443
 
       - name: Code Review
-        uses: step-security/ai-codewise@int
+        uses: step-security/ai-codewise@ab9fe138367d6094b2df7f8469ddc2c5a79c9cf4 # int
diff --git a/.github/workflows/recurring-int-tests.yml b/.github/workflows/recurring-int-tests.yml
@@ -18,7 +18,7 @@ jobs:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
     - name: Canary test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:e21fc4db56cb2953202c27ce8056cfb550322fde4f1dd4711c96e7ab2ff7f170
       env:
         PAT: ${{ secrets.PAT }}
         canary: true
@@ -33,7 +33,7 @@ jobs:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
     - name: Canary test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:e21fc4db56cb2953202c27ce8056cfb550322fde4f1dd4711c96e7ab2ff7f170
       env:
         PAT: ${{ secrets.PAT }}
         canary-tls: true
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -40,7 +40,7 @@ jobs:
         rc: true
 
     - name: Canary test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:e21fc4db56cb2953202c27ce8056cfb550322fde4f1dd4711c96e7ab2ff7f170
       env:
         PAT: ${{ secrets.PAT }}
         canary: true

diff --git a/.github/workflows/runs-on.yml b/.github/workflows/runs-on.yml
@@ -14,7 +14,7 @@ jobs:
       - image=ubuntu24-stepsecurity-x64
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@rc
+        uses: step-security/harden-runner@4c8582f45544ce2dafb2cfae82cfbebf0f41bde2 # rc
         with:
           egress-policy: audit
           allowed-endpoints: >
@@ -43,7 +43,7 @@ jobs:
       - image=ubuntu24-stepsecurity-x64
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@rc
+        uses: step-security/harden-runner@4c8582f45544ce2dafb2cfae82cfbebf0f41bde2 # rc
         with:
           egress-policy: block
           allowed-endpoints: >
@@ -89,7 +89,7 @@ jobs:
       - image=ubuntu24-stepsecurity-x64
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@rc
+        uses: step-security/harden-runner@4c8582f45544ce2dafb2cfae82cfbebf0f41bde2 # rc
         with:
           egress-policy: audit
           allowed-endpoints: >
@@ -137,7 +137,7 @@ jobs:
       - image=ubuntu24-stepsecurity-x64
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@rc
+        uses: step-security/harden-runner@4c8582f45544ce2dafb2cfae82cfbebf0f41bde2 # rc
         with:
           egress-policy: block
           allowed-endpoints: >