Pin third party actions (#3981)

.github/workflows/arc-validate-chart.yaml

@@ -5,20 +5,20 @@ on:
     branches:
       - master
     paths:
-      - 'charts/**'
-      - '.github/workflows/arc-validate-chart.yaml'
-      - '!charts/actions-runner-controller/docs/**'
-      - '!**.md'
-      - '!charts/gha-runner-scale-set-controller/**'
-      - '!charts/gha-runner-scale-set/**'
+      - "charts/**"
+      - ".github/workflows/arc-validate-chart.yaml"
+      - "!charts/actions-runner-controller/docs/**"
+      - "!**.md"
+      - "!charts/gha-runner-scale-set-controller/**"
+      - "!charts/gha-runner-scale-set/**"
   push:
     paths:
-      - 'charts/**'
-      - '.github/workflows/arc-validate-chart.yaml'
-      - '!charts/actions-runner-controller/docs/**'
-      - '!**.md'
-      - '!charts/gha-runner-scale-set-controller/**'
-      - '!charts/gha-runner-scale-set/**'
+      - "charts/**"
+      - ".github/workflows/arc-validate-chart.yaml"
+      - "!charts/actions-runner-controller/docs/**"
+      - "!**.md"
+      - "!charts/gha-runner-scale-set-controller/**"
+      - "!charts/gha-runner-scale-set/**"
   workflow_dispatch:
 env:
   KUBE_SCORE_VERSION: 1.10.0
@@ -45,34 +45,19 @@ jobs:
           fetch-depth: 0
 
       - name: Set up Helm
-        # Using https://github.com/Azure/setup-helm/releases/tag/v4.2
+        # Using https://github.com/Azure/setup-helm/releases/tag/v4.2.0
         uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814
         with:
           version: ${{ env.HELM_VERSION }}
 
-      - name: Set up kube-score
-        run: |
-          wget https://github.com/zegl/kube-score/releases/download/v${{ env.KUBE_SCORE_VERSION }}/kube-score_${{ env.KUBE_SCORE_VERSION }}_linux_amd64 -O kube-score
-          chmod 755 kube-score
-
-      - name: Kube-score generated manifests
-        run: helm template  --values charts/.ci/values-kube-score.yaml charts/* | ./kube-score score -
-              --ignore-test pod-networkpolicy
-              --ignore-test deployment-has-poddisruptionbudget
-              --ignore-test deployment-has-host-podantiaffinity
-              --ignore-test container-security-context
-              --ignore-test pod-probes
-              --ignore-test container-image-tag
-              --enable-optional-test container-security-context-privileged
-              --enable-optional-test container-security-context-readonlyrootfilesystem
-
       # python is a requirement for the chart-testing action below (supports yamllint among other tests)
       - uses: actions/setup-python@v5
         with:
-          python-version: '3.11'
+          python-version: "3.11"
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.6.0
+        # https://github.com/helm/chart-testing-action/releases/tag/v2.7.0
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b
 
       - name: Run chart-testing (list-changed)
         id: list-changed
@@ -87,7 +72,8 @@ jobs:
           ct lint --config charts/.ci/ct-config.yaml
 
       - name: Create kind cluster
-        uses: helm/kind-action@v1.4.0
+        # https://github.com/helm/kind-action/releases/tag/v1.12.0
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3
         if: steps.list-changed.outputs.changed == 'true'
 
       # We need cert-manager already installed in the cluster because we assume the CRDs exist