[govulncheck-action] action.yml: pin action dependencies to full commit SHAs

[Russ Cox (Gerrit)]

Russ Cox submitted the change

Change information

Commit message:

action.yml: pin action dependencies to full commit SHAs

In August 2025, GitHub introduced a feature which allows GitHub
repositories to enforce that Actions use SHA pinning. If enabled, all
GitHub Actions, including their transitive dependencies, must use SHA
pinning in order to be allowed to run. Switching to SHAs for our Action
dependencies allows repositories with this setting enabled to continue
using golang/govulncheck-action.

Fixes golang/go#75908

Change-Id: I0ffe9a8f56bbfd87dc50136fc35b0fc58abb4206

Reviewed-on: https://go-review.googlesource.com/c/govulncheck-action/+/749320

Auto-Submit: Sean Liao <se...@liao.dev>

Reviewed-by: Johan Brandhorst-Satzkorn <johan.br...@gmail.com>

Reviewed-by: Sean Liao <se...@liao.dev>

Reviewed-by: David Chase <drc...@google.com>

Reviewed-by: Russ Cox <r...@golang.org>

TryBot-Bypass: Sean Liao <se...@liao.dev>

Files:

• M action.yml

Change size: XS

Delta: 1 file changed, 2 insertions(+), 2 deletions(-)

Branch: refs/heads/master

Submit Requirements:

• Code-Review: +1 by David Chase, +2 by Johan Brandhorst-Satzkorn, +2 by Sean Liao, +2 by Russ Cox
• TryBots-Pass: TryBot-Bypass+1 by Sean Liao

Open in Gerrit

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

Gerrit-MessageType: merged

Gerrit-Project: govulncheck-action

Gerrit-Branch: master

Gerrit-Change-Id: I0ffe9a8f56bbfd87dc50136fc35b0fc58abb4206

Gerrit-Change-Number: 749320

Gerrit-PatchSet: 2

Gerrit-Owner: Charlotte Brandhorst-Satzkorn <char...@satzkorn.com>

Gerrit-Reviewer: David Chase <drc...@google.com>

Gerrit-Reviewer: Johan Brandhorst-Satzkorn <johan.br...@gmail.com>

Gerrit-Reviewer: Russ Cox <r...@golang.org>

Gerrit-Reviewer: Sean Liao <se...@liao.dev>

Gerrit-Reviewer: Zvonimir Pavlinovic <zpavl...@google.com>

Gerrit-CC: Gopher Robot <go...@golang.org>