CCM-14499: Pinning all GitHub Actions to SHAs

Author: damientobin1

.github/actions/acceptance-tests/action.yaml

@@ -60,7 +60,6 @@ runs:
         ENVIRONMENT: ${{ inputs.targetEnvironment }}
     - name: Archive integration test results
       if: ${{ inputs.testType == 'integration' }}
-      uses: actions/upload-artifact@v4
-      with:
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4      with:
         name: Integration test report
         path: "tests/playwright/playwright-report"

.github/actions/build-docs/action.yml

@@ -14,8 +14,7 @@ runs:
   using: "composite"
   steps:
     - name: Checkout
-      uses: actions/checkout@v5
-    - uses: ./.github/actions/node-install
+      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5    - uses: ./.github/actions/node-install
       with:
         node-version: ${{ inputs.node-version }}
         GITHUB_TOKEN: ${{ inputs.GITHUB_TOKEN }}
@@ -24,16 +23,14 @@ runs:
       run: npm ci
       shell: bash
     - name: Setup Ruby
-      uses: ruby/setup-ruby@v1.267.0
-      with:
+      uses: ruby/setup-ruby@d5126b9b3579e429dd52e51e68624dda2e05be25 # v1.267.0      with:
         ruby-version: "3.4.7" # Not needed with a .ruby-version file
         bundler-cache: true # Enable automatic gem caching
         cache-version: 0 # Increment this number if you need to re-download cached gems
         working-directory: "./docs"
     - name: Setup Pages
       id: pages
-      uses: actions/configure-pages@v5
-    - name: Build with Jekyll
+      uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5    - name: Build with Jekyll
       working-directory: ./docs
       # Outputs to the './_site' directory by default
       shell: bash
@@ -45,8 +42,7 @@ runs:
         VERSION: ${{ inputs.version }}
     - name: Upload artifact
       # Automatically uploads an artifact from the './_site' directory by default
-      uses: actions/upload-pages-artifact@v3
-      with:
+      uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3      with:
         path: "docs/_site/"
         name: jekyll-docs-${{ inputs.version }}
 
@@ -55,7 +51,6 @@ runs:
       shell: bash
 
     - name: Upload artifact
-      uses: actions/upload-artifact@v4
-      with:
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4      with:
         path: "artifact.tar"
         name: schemas-${{ inputs.version }}

.github/actions/build-schemas/action.yml

@@ -8,8 +8,7 @@ runs:
   using: "composite"
   steps:
     - name: Checkout
-      uses: actions/checkout@v4
-    - uses: actions/setup-node@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4    - uses: actions/setup-node@v4
       with:
         node-version: 18
 
@@ -28,7 +27,6 @@ runs:
       shell: bash
 
     - name: Upload artifact
-      uses: actions/upload-artifact@v4
-      with:
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4      with:
         path: "artifact.tar"
         name: schemas-${{ inputs.version }}

.github/actions/create-lines-of-code-report/action.yaml

@@ -33,8 +33,7 @@ runs:
       run: zip lines-of-code-report.json.zip lines-of-code-report.json
     - name: "Upload CLOC report as an artefact"
       if: ${{ !env.ACT }}
-      uses: actions/upload-artifact@v4
-      with:
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4      with:
         name: lines-of-code-report.json.zip
         path: ./lines-of-code-report.json.zip
         retention-days: 21
@@ -45,8 +44,7 @@ runs:
         echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
     - name: "Authenticate to send the report"
       if: steps.check.outputs.secrets_exist == 'true'
-      uses: aws-actions/configure-aws-credentials@v4
-      with:
+      uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4      with:
         role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
         aws-region: ${{ inputs.idp_aws_report_upload_region }}
     - name: "Send the CLOC report to the central location"

.github/actions/node-install/action.yaml

@@ -13,8 +13,7 @@ runs:
   using: 'composite'
   steps:
     - name: 'Use Node.js'
-      uses: actions/setup-node@v6
-      with:
+      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6      with:
         node-version: '${{ inputs.node-version }}'
         cache: 'npm'
         cache-dependency-path: '**/package-lock.json'

.github/actions/scan-dependencies/action.yaml

@@ -33,8 +33,7 @@ runs:
       run: zip sbom-repository-report.json.zip sbom-repository-report.json
     - name: "Upload SBOM report as an artefact"
       if: ${{ !env.ACT }}
-      uses: actions/upload-artifact@v4
-      with:
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4      with:
         name: sbom-repository-report.json.zip
         path: ./sbom-repository-report.json.zip
         retention-days: 21
@@ -49,8 +48,7 @@ runs:
       run: zip vulnerabilities-repository-report.json.zip vulnerabilities-repository-report.json
     - name: "Upload vulnerabilities report as an artefact"
       if: ${{ !env.ACT }}
-      uses: actions/upload-artifact@v4
-      with:
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4      with:
         name: vulnerabilities-repository-report.json.zip
         path: ./vulnerabilities-repository-report.json.zip
         retention-days: 21
@@ -60,8 +58,7 @@ runs:
       run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
     - name: "Authenticate to send the reports"
       if: steps.check.outputs.secrets_exist == 'true'
-      uses: aws-actions/configure-aws-credentials@v4
-      with:
+      uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4      with:
         role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
         aws-region: ${{ inputs.idp_aws_report_upload_region }}
     - name: "Send the SBOM and vulnerabilities reports to the central location"

.github/workflows/cicd-1-pull-request.yaml

@@ -40,8 +40,7 @@ jobs:
       # skip_trivy_package: ${{ steps.skip_trivy.outputs.skip_trivy_package }}
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v5
-      - name: "Set CI/CD variables"
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5      - name: "Set CI/CD variables"
         id: variables
         run: |
           datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z')

.github/workflows/cicd-3-deploy.yaml

@@ -52,8 +52,7 @@ jobs:
       # tag: ${{ steps.variables.outputs.tag }}
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v5
-      - name: "Set CI/CD variables"
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5      - name: "Set CI/CD variables"
         id: variables
         run: |
           datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z')
@@ -85,8 +84,7 @@ jobs:
     needs: metadata
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v5
-
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       - name: "Get version"
         id: get-asset-version
         shell: bash
@@ -143,6 +141,5 @@ jobs:
 
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
-        with:
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4        with:
           artifact_name: jekyll-docs-${{steps.get-asset-version.outputs.release_version}}

.github/workflows/manual-combine-dependabot-prs.yaml

@@ -15,8 +15,7 @@ jobs:
     steps:
       - name: combine-prs
         id: combine-prs
-        uses: github/combine-prs@v5.2.0
-        with:
+        uses: github/combine-prs@e6d37110da1b512313419ba6992492dad622139f # v5.2.0        with:
           ci_required: false
           labels: dependencies
           pr_title: Combined Dependabot PRs

.github/workflows/pr_closed.yaml

@@ -48,8 +48,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5.0.0
-
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Updating Main Environment
         env:
           APP_PEM_FILE: ${{ secrets.APP_PEM_FILE }}