ci: Update GitHub Actions workflows

.github/workflows/go.yml

@@ -10,6 +10,9 @@ concurrency:
   group: one-at-time
   cancel-in-progress: false
 
+permissions:
+  contents: read
+
 jobs:
   checks:
     name: Checks
@@ -31,7 +34,7 @@ jobs:
         run: make check-vuln
 
       - name: Check for linting errors
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299 # pin@3.6.0
         with:
           version: latest
           args: -v -c .golangci.yml
@@ -62,6 +65,7 @@ jobs:
     name: Integration Tests
     runs-on: ubuntu-latest
     needs: unit-tests
+
     # Skip running if the PR is coming from a fork or is created by dependabot or snyk due to missing repo secrets.
     if: github.event.pull_request.head.repo.fork == false && (github.actor != 'dependabot[bot]' && github.actor != 'snyk-bot')
 
@@ -93,7 +97,7 @@ jobs:
           path: ./unit-tests-artifact
 
       - name: Update codecov report
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # pin@3.1.4
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: ./unit-tests-artifact/coverage-unit-tests.out,./coverage-integration-tests.out

.github/workflows/pull-request-target.trigger-deferred.yml

@@ -0,0 +1,14 @@
+name: "(PR) Trigger Deferred"
+
+on:
+  pull_request_target: {}
+
+permissions: {}
+
+jobs:
+  pr-trigger-deferred:
+    name: Trigger
+    runs-on: ubuntu-latest
+
+    steps:
+      - run: exit 0

.github/workflows/release.yml

@@ -3,7 +3,10 @@ name: goreleaser
 on:
   push:
     tags:
-      - 'v*'
+      - "v*"
+
+permissions:
+  contents: write
 
 jobs:
   goreleaser:
@@ -22,7 +25,7 @@ jobs:
           check-latest: true
 
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v3
+        uses: goreleaser/goreleaser-action@336e29918d653399e599bfca99fadc1d7ffbc9f7 # pin@4.3.0
         with:
           version: latest
           args: release --rm-dist

.github/workflows/semgrep.yml

@@ -1,23 +1,28 @@
-name: Semgrep
+name: "Semgrep"
 
 on:
-  pull_request_target: {}
+  workflow_run:
+    workflows:
+      -  "(PR) Trigger Deferred"
   push:
-    branches: ["main"]
+    branches:
+      - main
   schedule:
-    - cron: '30 0 1,15 * *' # Scheduled for 00:30 UTC on both the 1st and 15th of the month.
+    - cron: "30 0 1,15 * *"
+
+permissions: {}
 
 jobs:
   semgrep:
     name: Scan
     runs-on: ubuntu-latest
+
     container:
       image: returntocorp/semgrep
 
-    # Skip any PR created by dependabot or snyk to avoid permission issues.
-    if: (github.actor != 'dependabot[bot]' && github.actor != 'snyk-bot')
     steps:
       - uses: actions/checkout@v3
+
       - run: semgrep ci
         env:
           SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}