From 3f755f1f0d21528afa5815cc5f52ce70fde8e2ad Mon Sep 17 00:00:00 2001
From: Franck Nijhof <git@frenck.dev>
Date: Mon, 16 Feb 2026 08:43:20 +0100
Subject: [PATCH] CI security hardening: pin actions and images in builder and
 CI workflows (#163116)

---
 .github/workflows/builder.yml | 15 +++++++--------
 .github/workflows/ci.yaml     |  6 +++---
 2 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml
index 3420bbb174c..3d0e2bfd8f8 100644
--- a/.github/workflows/builder.yml
+++ b/.github/workflows/builder.yml
@@ -45,16 +45,16 @@ jobs:
 
       - name: Get information
         id: info
-        uses: home-assistant/actions/helpers/info@master
+        uses: home-assistant/actions/helpers/info@master # zizmor: ignore[unpinned-uses]
 
       - name: Get version
         id: version
-        uses: home-assistant/actions/helpers/version@master
+        uses: home-assistant/actions/helpers/version@master # zizmor: ignore[unpinned-uses]
         with:
           type: ${{ env.BUILD_TYPE }}
 
       - name: Verify version
-        uses: home-assistant/actions/helpers/verify-version@master
+        uses: home-assistant/actions/helpers/verify-version@master # zizmor: ignore[unpinned-uses]
         with:
           ignore-dev: true
 
@@ -316,9 +316,8 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      # home-assistant/builder doesn't support sha pinning
       - name: Build base image
-        uses: home-assistant/builder@2025.11.0
+        uses: home-assistant/builder@21bc64d76dad7a5184c67826aab41c6b6f89023a # 2025.11.0
         with:
           args: |
             $BUILD_ARGS \
@@ -341,14 +340,14 @@ jobs:
           persist-credentials: false
 
       - name: Initialize git
-        uses: home-assistant/actions/helpers/git-init@master
+        uses: home-assistant/actions/helpers/git-init@master # zizmor: ignore[unpinned-uses]
         with:
           name: ${{ secrets.GIT_NAME }}
           email: ${{ secrets.GIT_EMAIL }}
           token: ${{ secrets.GIT_TOKEN }}
 
       - name: Update version file
-        uses: home-assistant/actions/helpers/version-push@master
+        uses: home-assistant/actions/helpers/version-push@master # zizmor: ignore[unpinned-uses]
         with:
           key: "homeassistant[]"
           key-description: "Home Assistant Core"
@@ -358,7 +357,7 @@ jobs:
 
       - name: Update version file (stable -> beta)
         if: needs.init.outputs.channel == 'stable'
-        uses: home-assistant/actions/helpers/version-push@master
+        uses: home-assistant/actions/helpers/version-push@master # zizmor: ignore[unpinned-uses]
         with:
           key: "homeassistant[]"
           key-description: "Home Assistant Core"
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 6ba44a6636e..dc89d0c027b 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -309,7 +309,7 @@ jobs:
         run: |
           echo "::add-matcher::.github/workflows/matchers/hadolint.json"
       - name: Check ${{ matrix.file }}
-        uses: docker://hadolint/hadolint:v2.12.0
+        uses: docker://hadolint/hadolint:v2.12.0@sha256:30a8fd2e785ab6176eed53f74769e04f125afb2f74a6c52aef7d463583b6d45e
         with:
           args: hadolint ${{ matrix.file }}
 
@@ -1039,7 +1039,7 @@ jobs:
       contents: read
     services:
       mariadb:
-        image: ${{ matrix.mariadb-group }}
+        image: ${{ matrix.mariadb-group }} # zizmor: ignore[unpinned-images]
         ports:
           - 3306:3306
         env:
@@ -1197,7 +1197,7 @@ jobs:
       contents: read
     services:
       postgres:
-        image: ${{ matrix.postgresql-group }}
+        image: ${{ matrix.postgresql-group }} # zizmor: ignore[unpinned-images]
         ports:
           - 5432:5432
         env: