Checkmarx · cx-yevgeny-kuznetsov · May 22, 2026 · May 22, 2026
diff --git a/.github/workflows/auto-merge-pr.yml b/.github/workflows/auto-merge-pr.yml
@@ -6,7 +6,7 @@ permissions:
 
 jobs:
   dependabot-merge:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     if: contains(github.head_ref, 'feature/update_cli')
     steps:
       - name: Enable auto-merge for Dependabot PRs

diff --git a/.github/workflows/checkmarx-one-scan.yml b/.github/workflows/checkmarx-one-scan.yml
@@ -11,7 +11,7 @@ on:
 
 jobs:
   cx-scan:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -4,12 +4,12 @@ on: [ pull_request ]
 
 jobs:
   integration-tests:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
 
     name: Integration Testing
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v4.1.0
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
 
       - name: Create source file
         run: |

diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
@@ -6,7 +6,7 @@ permissions:
 
 jobs:
   dependabot-merge:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     if: ${{ github.actor == 'dependabot[bot]' }}
     steps:
       - name: Dependabot metadata

diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -4,9 +4,15 @@ on:
     branches:
       - master
 
+permissions:
+  contents: read
+
 jobs:
   release-draft:
-    runs-on: ubuntu-latest
+    permissions:
+      contents: write  # for release-drafter/release-drafter to create a github release
+      pull-requests: write  # for release-drafter/release-drafter to add label to PR
+    runs-on: cx-public-ubuntu-x64
 
     steps:
       - name: Create Release

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -10,13 +10,13 @@ on:
 
 jobs:
   release:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     outputs:
       CLI_VERSION: ${{ steps.extract_cli_version.outputs.CLI_VERSION }}
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.0
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
 

diff --git a/.github/workflows/update-docker-image.yml b/.github/workflows/update-docker-image.yml
@@ -10,16 +10,19 @@ on:
   repository_dispatch:
     types: [cli-version-update]
 
+permissions:
+  contents: read
+
 jobs:
   update-base-image:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     permissions:
       contents: write
       pull-requests: write
 
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Get Version and SHA256 Manifest Digest
         id: checkmarx-ast-cli