nginx · Akshay2191 · Mar 2, 2026 · Mar 4, 2026 · Mar 9, 2026 · Mar 12, 2026
@@ -26,7 +26,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
             fetch-tags: 'true'
-      
+
       - name: Get Secrets from Azure Key Vault
         uses: ./.github/actions/az-sync
         with:
@@ -35,10 +35,10 @@ jobs:
           az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
           keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
           secrets-filter: 'artifactory'
-      
+
       - name: Generate SBOM Document
         id: sbom-src
-        uses: nginxinc/compliance-rules/.github/actions/sbom-source@main
+        uses: nginxinc/compliance-rules/.github/actions/sbom-source@361e2ac0a4f333150a3773a815aac632d32ffde9 # main
         with:
           product-name: ${{ github.event.repository.name }}
           release-version: ${{ github.ref_name }}

@@ -12,6 +12,10 @@ on:
     branches:
       - main
       - dev-v2
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
 
 # Declare default permissions as read only.
 permissions: read-all

@@ -3,11 +3,11 @@
 # Dependabot can keep this file up to date with latest containers.
 
 # Weaver is used to generate markdown docs, and enforce policies on the model.
-FROM otel/weaver:v0.13.2 AS weaver
+FROM otel/weaver:v0.13.2@sha256:ae7346b992e477f629ea327e0979e8a416a97f7956ab1f7e95ac1f44edf1a893 AS weaver
 
 # OPA is used to test policies enforced by weaver.
-FROM openpolicyagent/opa:1.2.0 AS opa
+FROM openpolicyagent/opa:1.2.0@sha256:96f7ee5dbcc634853c55e0fc6090fe421d8c853da967ee0246f98bd186e2083f AS opa
 
 # Semconv gen is used for backwards compatibility checks.
 # TODO(jsuereth): Remove this when no longer used.
-FROM otel/semconvgen:0.25.0 AS semconvgen
+FROM otel/semconvgen:0.25.0@sha256:9df7b8cbaa732277d64d0c0a8604d96bb6f5a36d0e96338cba5dced720c16485 AS semconvgen