[universal] Github Workflow Improvements (CloudPirates-io#358)

Author: zOnlyKroks

.github/workflows/auto-label.yaml

@@ -5,15 +5,20 @@ on:
   pull_request:
     types: [opened]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.issue.number }}
+  cancel-in-progress: true
+
 jobs:
   label:
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     permissions:
       issues: write
       pull-requests: write
     steps:
       - name: Apply labels
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
         with:
           script: |
             let content = "";

.github/workflows/check-signed-commits.yaml

@@ -1,16 +1,21 @@
 name: Check signed commits in PR
 on: pull_request_target
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
 jobs:
   check-signed-commits:
     name: Check signed commits in PR
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       contents: read
       pull-requests: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
@@ -39,7 +44,7 @@ jobs:
       - name: Check signed commits in PR
         if: steps.check-bots.outputs.has_human_commits == 'true'
         continue-on-error: true
-        uses: 1Password/check-signed-commits-action@v1
+        uses: 1Password/check-signed-commits-action@ed2885f3ed2577a4f5d3c3fe895432a557d23d52 # v1.2.0
         with:
           comment: |
             ## ⚠️ Unsigned Commits Detected

.github/workflows/pull-request.yaml

@@ -8,18 +8,25 @@ on:
     branches:
       - main
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
 jobs:
   lint-test:
     runs-on: ubuntu-latest
+    timeout-minutes: 30
+    permissions:
+      contents: read
     outputs:
       changed: ${{ steps.list-changed.outputs.changed }}
       changedCharts: ${{ steps.list-changed.outputs.changedCharts }}
     steps:
       - name: Setup Helm
-        uses: Azure/setup-helm@v4.3.1
+        uses: Azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
 
       - name: Checkout pull request branch
-        uses: actions/checkout@v5.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           ref: ${{ github.head_ref }}
           repository: ${{github.event.pull_request.head.repo.full_name}}
@@ -28,12 +35,13 @@ jobs:
       # Python is required because `ct lint` runs Yamale (https://github.com/23andMe/Yamale) and
       # yamllint (https://github.com/adrienverge/yamllint) which require Python
       - name: Set up Python
-        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
+        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
         with:
           python-version: 3.x
+          cache: 'pip'
 
       - name: Set up chart-testing-action
-        uses: helm/chart-testing-action@v2.7.0
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
 
       - name: Get changed charts
         id: list-changed
@@ -50,40 +58,70 @@ jobs:
             echo "No chart changes detected"
           fi
 
+      - name: Cache Helm plugins
+        if: steps.list-changed.outputs.changed == 'true'
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        with:
+          path: ~/.local/share/helm/plugins
+          key: ${{ runner.os }}-helm-plugins-${{ hashFiles('**/plugin.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-helm-plugins-
+
       - name: Installing plugin helm-unittest
         if: steps.list-changed.outputs.changed == 'true'
-        run: helm plugin install https://github.com/helm-unittest/helm-unittest >/dev/null
+        run: |
+          if ! helm plugin list | grep -q unittest; then
+            helm plugin install https://github.com/helm-unittest/helm-unittest
+          else
+            echo "helm-unittest plugin already installed"
+          fi
 
       - name: Run chart testing (lint & unittest)
         if: steps.list-changed.outputs.changed == 'true'
         run: ct lint --target-branch ${{ github.event.repository.default_branch }} --validate-maintainers=false --additional-commands "helm unittest {{ .Path }}"
 
   integration-test:
     runs-on: ubuntu-latest
+    timeout-minutes: 30
+    permissions:
+      contents: read
     needs: [lint-test]
     if: needs.lint-test.outputs.changed == 'true'
     steps:
       - name: Checkout pull request branch
-        uses: actions/checkout@v5.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           ref: ${{ github.head_ref }}
           repository: ${{github.event.pull_request.head.repo.full_name}}
           fetch-depth: 0
 
       - name: Setup Helm
-        uses: Azure/setup-helm@v4.3.1
+        uses: Azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
 
       - name: Setup kubectl
-        uses: azure/setup-kubectl@v4
+        uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
 
       - name: Create kind cluster
-        uses: helm/kind-action@v1.12.0
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
         with:
           cluster_name: helm-chart-test
           wait: 300s
 
+      - name: Cache Helm plugins
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        with:
+          path: ~/.local/share/helm/plugins
+          key: ${{ runner.os }}-helm-plugins-${{ hashFiles('**/plugin.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-helm-plugins-
+
       - name: Installing plugin helm-unittest
-        run: helm plugin install https://github.com/helm-unittest/helm-unittest
+        run: |
+          if ! helm plugin list | grep -q unittest; then
+            helm plugin install https://github.com/helm-unittest/helm-unittest
+          else
+            echo "helm-unittest plugin already installed"
+          fi
 
       - name: Run integration tests
         env:
@@ -104,6 +142,7 @@ jobs:
 
   update-changelog:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     needs: [lint-test]
     name: Automatically update CHANGELOG
     permissions:
@@ -112,7 +151,7 @@ jobs:
     if: always() && needs.lint-test.outputs.changed == 'true'
     steps:
       - name: Checkout PR branch
-        uses: actions/checkout@v5.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ github.event.pull_request.head.ref }}
@@ -183,7 +222,7 @@ jobs:
       - name: Commit and push via GitHub API
         id: push-changes
         if: steps.check-changes.outputs.has_changes == 'true'
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |