elastic
diff --git a/‎.github/actions/aws-asset-inventory-ci/action.yml
+2-2 b/‎.github/actions/aws-asset-inventory-ci/action.yml
+2-2
diff --git a/‎.github/actions/aws-ci/action.yml
+2-2 b/‎.github/actions/aws-ci/action.yml
+2-2
diff --git a/‎.github/actions/azure-asset-inventory-ci/action.yml
+2-2 b/‎.github/actions/azure-asset-inventory-ci/action.yml
+2-2
diff --git a/‎.github/actions/azure-ci/action.yml
+2-2 b/‎.github/actions/azure-ci/action.yml
+2-2
diff --git a/‎.github/actions/cnvm-ci/action.yml
+3-3 b/‎.github/actions/cnvm-ci/action.yml
+3-3
diff --git a/‎.github/actions/docker-images/action.yml
+7-7 b/‎.github/actions/docker-images/action.yml
+7-7
diff --git a/‎.github/actions/gcp-asset-inventory-ci/action.yml
+2-2 b/‎.github/actions/gcp-asset-inventory-ci/action.yml
+2-2
diff --git a/‎.github/actions/gcp-ci/action.yml
+3-3 b/‎.github/actions/gcp-ci/action.yml
+3-3
diff --git a/‎.github/actions/hermit/action.yml
+3-3 b/‎.github/actions/hermit/action.yml
+3-3
diff --git a/‎.github/actions/init-integration/action.yml
+1-1 b/‎.github/actions/init-integration/action.yml
+1-1
diff --git a/‎.github/actions/k8s-ci/action.yml
+1-1 b/‎.github/actions/k8s-ci/action.yml
+1-1
diff --git a/‎.github/actions/kibana-ftr/action.yml
+2-2 b/‎.github/actions/kibana-ftr/action.yml
+2-2
diff --git a/‎.github/actions/slack-notification/action.yml
+2-2 b/‎.github/actions/slack-notification/action.yml
+2-2
diff --git a/‎.github/workflows/arm-template-lint.yml
+2-2 b/‎.github/workflows/arm-template-lint.yml
+2-2
diff --git a/‎.github/workflows/bump-version.yml
+1-1 b/‎.github/workflows/bump-version.yml
+1-1
diff --git a/‎.github/workflows/ci-pull_request.yml
+3-3 b/‎.github/workflows/ci-pull_request.yml
+3-3
@@ -52,15 +52,15 @@ runs:
 
     - name: Upload test results
       if: ${{ always() }}
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
       with:
         name: allure-results-ci-aws-asset-inventory
         path: tests/allure/results/
         overwrite: true
 
     - if: ${{ failure() || cancelled() || inputs.debug == 'true' }}
       name: Upload cloudbeat logs
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
       with:
         name: cloubeat-logs-ci-aws-asset-inventory
         path: logs/
 
@@ -52,15 +52,15 @@ runs:
 
     - name: Upload test results
       if: ${{ always() }}
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
       with:
         name: allure-results-ci-aws
         path: tests/allure/results/
         overwrite: true
 
     - if: ${{ failure() || cancelled() || inputs.debug == 'true' }}
       name: Upload cloudbeat logs
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
       with:
         name: cloubeat-logs-ci-aws
         path: logs/
 
@@ -53,15 +53,15 @@ runs:
 
     - name: Upload test results
       if: ${{ always() }}
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
       with:
         name: allure-results-ci-azure
         path: tests/allure/results/
         overwrite: true
 
     - if: ${{ failure() || cancelled() || inputs.debug == 'true' }}
       name: Upload cloudbeat logs
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
       with:
         name: cloubeat-logs-ci-azure
         path: logs/
 
@@ -53,15 +53,15 @@ runs:
 
     - name: Upload test results
       if: ${{ always() }}
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
       with:
         name: allure-results-ci-azure
         path: tests/allure/results/
         overwrite: true
 
     - if: ${{ failure() || cancelled() || inputs.debug == 'true' }}
       name: Upload cloudbeat logs
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
       with:
         name: cloubeat-logs-ci-azure
         path: logs/
 
@@ -27,7 +27,7 @@ runs:
         elk-version: ${{ inputs.elk-version }}
 
     - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4
       with:
         aws-access-key-id: ${{ inputs.aws-access-key-id }}
         aws-secret-access-key: ${{ inputs.aws-secret-access-key }}
@@ -55,15 +55,15 @@ runs:
 
     - name: Upload test results
       if: ${{ always() }}
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
       with:
         name: allure-results-ci-cnvm
         path: tests/allure/results/
         overwrite: true
 
     - if: ${{ failure() || cancelled() || inputs.debug == 'true' }}
       name: Upload cloudbeat logs
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
       with:
         name: cloubeat-logs-ci-cnvm
         path: logs/
 
@@ -58,18 +58,18 @@ runs:
 
     - if: ${{ inputs.build-docker-images == 'true' }}
       name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
 
     - if: ${{ inputs.build-docker-images == 'true' }}
       name: Cache docker build cache
-      uses: actions/cache@v4
+      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4
       with:
         path: ${{ inputs.docker-build-cache-folder }}
         key: ci-buildx-${{ runner.os }}-${{ runner.arch }}-${{ github.workflow }}
 
     - if: ${{ inputs.build-docker-images == 'true' }}
       name: Build cloudbeat-docker image
-      uses: docker/build-push-action@v5
+      uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
       with:
         context: .
         file: ./deploy/Dockerfile
@@ -83,7 +83,7 @@ runs:
 
     - if: ${{ inputs.build-docker-images == 'true' }}
       name: Build elastic-agent
-      uses: docker/build-push-action@v5
+      uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
       env:
         GOOS: ${{ inputs.goos }}
         GOARCH: ${{ inputs.goarch }}
@@ -103,7 +103,7 @@ runs:
 
     - if: ${{ inputs.build-docker-images == 'true' }}
       name: Build pytest-docker
-      uses: docker/build-push-action@v5
+      uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
       with:
         context: ./tests/.
         push: false
@@ -124,7 +124,7 @@ runs:
     - if: ${{ inputs.build-docker-images == 'true' }}
       name: Upload docker images
       # Pin action version to 4.3.4 See https://github.com/actions/upload-artifact/issues/589
-      uses: actions/upload-artifact@v4.3.4
+      uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
       with:
         name: docker-images
         path: ${{ inputs.docker-images-folder }}
@@ -134,7 +134,7 @@ runs:
 
     - if: ${{ inputs.build-docker-images == 'false' }}
       name: Download docker images
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4
       with:
         name: docker-images
         path: ${{ inputs.docker-images-folder }}
@@ -49,15 +49,15 @@ runs:
 
     - name: Upload test results
       if: ${{ always() }}
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
       with:
         name: allure-results-ci-gcp-asset-inventory
         path: tests/allure/results/
         overwrite: true
 
     - if: ${{ failure() || cancelled() || inputs.debug == 'true' }}
       name: Upload cloudbeat logs
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
       with:
         name: cloubeat-logs-ci-gcp-asset-inventory
         path: logs/
 
@@ -31,7 +31,7 @@ runs:
 
     - id: google-auth
       name: Authenticate to Google Cloud
-      uses: google-github-actions/auth@v2
+      uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2
       with:
         workload_identity_provider: ${{ inputs.workload-identity-provider }}
         service_account: ${{ inputs.service-account }}
@@ -57,15 +57,15 @@ runs:
 
     - name: Upload test results
       if: ${{ always() }}
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
       with:
         name: allure-results-ci-gcp
         path: tests/allure/results/
         overwrite: true
 
     - if: ${{ failure() || cancelled() || inputs.debug == 'true' }}
       name: Upload cloudbeat logs
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
       with:
         name: cloubeat-logs-ci-gcp
         path: logs/
 
@@ -10,7 +10,7 @@ runs:
   steps:
     - id: free-disk
       name: Free Disk Space
-      uses: jlumbroso/free-disk-space@main
+      uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # main
       with:
         tool-cache: false
         android: true
@@ -32,7 +32,7 @@ runs:
         echo "hash=$hash" >> "$GITHUB_OUTPUT"
 
     - id: cache-tools
-      uses: actions/cache@v4
+      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4
       with:
         path: |
           ~/.cache/hermit/pkg
@@ -42,7 +42,7 @@ runs:
         key: ci-hermit-env-${{ runner.os }}-${{ steps.hermit-hash.outputs.hash }}
 
     - id: cache-go-deps
-      uses: actions/cache@v4
+      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4
       with:
         path: |
           ~/go/pkg/
 
@@ -17,7 +17,7 @@ runs:
       run: mage -v build
 
     - name: Run elasticsearch
-      uses: elastic/elastic-github-actions/elasticsearch@master
+      uses: elastic/elastic-github-actions/elasticsearch@dc110609b1cb3024477ead739ca23ab547b8b9ff # master
       with:
         stack-version: ${{ inputs.elk-version }}
         security-enabled: false
 
@@ -61,7 +61,7 @@ runs:
 
     - name: Upload Test Results
       if: ${{ always() }}
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
       with:
         name: allure-results-ci-k8s-${{ inputs.test-target }}-${{ inputs.kind-config }}
         path: tests/allure/results/
 
@@ -26,15 +26,15 @@ runs:
         echo "KIBANA_DIR=kibana" >> "${GITHUB_OUTPUT}"
 
     - name: Checkout Kibana Repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       with:
         repository: elastic/kibana
         ref: ${{ inputs.kibana_ref }}
         fetch-depth: 1
         path: ${{ steps.globals.outputs.KIBANA_DIR }}
 
     - name: Setup Node
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
       with:
         node-version-file: ${{ steps.globals.outputs.KIBANA_DIR }}/package.json
 
 
@@ -32,7 +32,7 @@ runs:
   using: "composite"
   steps:
     - name: Get Vault credentials
-      uses: hashicorp/vault-action@v2.7.4
+      uses: hashicorp/vault-action@affa6f04da5c2d55e6e115b7d1b044a6b1af8c74 # v2.7.4
       continue-on-error: true
       with:
         url: ${{ inputs.vault-url }}
@@ -56,7 +56,7 @@ runs:
 
     - name: Send Slack notification
       id: send-slack-notification
-      uses: slackapi/slack-github-action@v1.24.0
+      uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
       env:
         SLACK_BOT_TOKEN: ${{ env.SLACK_BOT_TOKEN }}
       with:
 
@@ -20,7 +20,7 @@ jobs:
       matrix:
         template: [ "ARM-for-organization-account", "ARM-for-single-account" ]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
         # Copy files to its own folder because it's what the official ARM-TTK action expects
         # Docs https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/test-toolkit#test-parameters
@@ -30,7 +30,7 @@ jobs:
           mkdir ${{ matrix.template }}
           cp ${{ matrix.template }}.json ${{ matrix.template }}/azuredeploy.json
 
-      - uses: microsoft/action-armttk@v1
+      - uses: microsoft/action-armttk@71252e1767b6e23ad905bf5c456ebdbc7d7ae1bf # v1
         name: lint ${{ matrix.template }}
         with:
           github_token: ${{ secrets.github_token }}
 
@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout Cloudbeat Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           ref: ${{ github.ref_name }}
           token: ${{ secrets.CLOUDSEC_MACHINE_TOKEN }}
 
@@ -26,7 +26,7 @@ jobs:
     timeout-minutes: 60
     steps:
       - name: Check out the repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Initialize hermit
         shell: bash
@@ -78,7 +78,7 @@ jobs:
     timeout-minutes: 60
     steps:
       - name: Check out the repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Initialize hermit
         shell: bash
@@ -97,7 +97,7 @@ jobs:
           cat cover.out.tmp | grep -v "mock_.*.go" | grep -v "elastic/cloudbeat/deploy" | grep -v "internal/inventory/asset.go" > cover.out # remove mock files and deploy dir
 
       - name: Upload coverage artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
         with:
           name: coverage-file
           path: cover.out