fix(security): pinning all third-party Github actions to commit hashes

Author: benthevining

.github/workflows/build_and_test.yml

@@ -93,15 +93,15 @@ jobs:
     # TODO: ensure install of runtime libraries for sanitizers, set LD_LIBRARY_PATH
     - name: Ensure Clang version
       if: runner.os == 'Linux' && matrix.preset == 'clang'
-      uses: egor-tensin/setup-clang@v2.1
+      uses: egor-tensin/setup-clang@471a6f8ef1d449dba8e1a51780e7f943572a3f99 # v2.1
       with:
         version: 21
 
     - name: Ensure CMake 4.0
-      uses: lukka/get-cmake@v4.2.3
+      uses: lukka/get-cmake@f176ccd3f28bda569c43aae4894f06b2435a3375 # v4.2.3
 
     - name: Checkout code
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
     - name: Install Python dependencies
       run: cmake -P InstallPythonDeps.cmake
@@ -119,7 +119,7 @@ jobs:
       continue-on-error: true
 
     - name: Upload test results
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
       with:
         name: ${{ env.JUNIT_FILENAME }}
         path: ${{ env.BUILD_DIR }}/${{ env.JUNIT_FILENAME }}
@@ -129,7 +129,7 @@ jobs:
       run: cmake --install ${{ env.BUILD_DIR }} --prefix ${{ env.DEPLOY_DIR }} --component ben_bot --config ${{ matrix.config }}
 
     - name: Upload artifact
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
       if: matrix.config == 'Release'
       with:
         name: BenBot-${{ matrix.os }}-${{ matrix.preset }}
@@ -147,14 +147,14 @@ jobs:
 
     steps:
     - name: Download JUnit results
-      uses: actions/download-artifact@v8
+      uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8
       with:
         path: junit
         pattern: junit-*
         merge-multiple: true
 
     - name: Report aggregate results
-      uses: EnricoMi/publish-unit-test-result-action@v2.23.0
+      uses: EnricoMi/publish-unit-test-result-action@c950f6fb443cb5af20a377fd0dfaa78838901040 # v2.23.0
       with:
         check_name: "Test Results (${{ github.event.workflow_run.event || github.event_name }})"
         files: junit/*.xml

.github/workflows/code_ql.yml

@@ -44,18 +44,18 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
+      uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
       with:
         languages: ${{ matrix.language }}
         build-mode: none
         analysis-kinds: code-scanning, code-quality
         queries: security-and-quality
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4
+      uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
       with:
         category: "/language:${{matrix.language}}"
 
@@ -71,13 +71,13 @@ jobs:
 
     steps:
     - name: Ensure CMake 4.0
-      uses: lukka/get-cmake@v4.2.3
+      uses: lukka/get-cmake@f176ccd3f28bda569c43aae4894f06b2435a3375 # v4.2.3
 
     - name: Checkout repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
+      uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
       with:
         languages: ${{ env.LANGUAGE }}
         build-mode: manual
@@ -92,6 +92,6 @@ jobs:
       working-directory: Builds/${{ env.PRESET }}
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4
+      uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
       with:
         category: "/language:${{ env.LANGUAGE }}"

.github/workflows/docs.yml

@@ -60,10 +60,10 @@ jobs:
         sudo apt install -y doxygen graphviz
 
     - name: Ensure CMake 4.0
-      uses: lukka/get-cmake@v4.2.3
+      uses: lukka/get-cmake@f176ccd3f28bda569c43aae4894f06b2435a3375 # v4.2.3
 
     - name: Checkout code
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       with:
         ref: ${{ inputs.ref || github.ref }}
 
@@ -90,7 +90,7 @@ jobs:
     # Create status check to report warnings
     - name: Report check state
       if: always()
-      uses: LouisBrunner/checks-action@v2
+      uses: LouisBrunner/checks-action@6b626ffbad7cc56fd58627f774b9067e6118af23 # v2
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         name: Docs warnings
@@ -103,7 +103,7 @@ jobs:
         cmake --install ${{ env.BUILD_DIR }} --prefix ${{ env.DEPLOY_DIR }} --component ben_bot_docs
 
     - name: Upload artifact
-      uses: actions/upload-pages-artifact@v4
+      uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4
       with:
         name: BenBot-docs
         path: ${{ env.DEPLOY_DIR }}/share/doc/html
@@ -123,6 +123,6 @@ jobs:
     steps:
     - name: Deploy to GitHub Pages
       id: deployment
-      uses: actions/deploy-pages@v4
+      uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4
       with:
         artifact_name: BenBot-docs

.github/workflows/sprt_internal.yml

@@ -53,14 +53,14 @@ jobs:
 
     steps:
     - name: Ensure CMake 4.0
-      uses: lukka/get-cmake@v4.2.3
+      uses: lukka/get-cmake@f176ccd3f28bda569c43aae4894f06b2435a3375 # v4.2.3
 
     - name: Checkout code
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
     - name: Download fastchess release
       id: download_fastchess
-      uses: robinraju/release-downloader@v1.12
+      uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
       with:
         repository: Disservin/fastchess
         latest: true
@@ -88,7 +88,7 @@ jobs:
     - name: Download latest BenBot release
       if: ${{ !inputs.use_main }}
       id: download_benbot
-      uses: robinraju/release-downloader@v1.12
+      uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
       with:
         latest: true
         fileName: BenBot-ubuntu-latest-clang.zip
@@ -116,7 +116,7 @@ jobs:
 
     - name: Checkout main
       if: ${{ inputs.use_main }}
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       with:
         ref: main
         path: ${{ env.TMP_ROOT }}
@@ -164,7 +164,7 @@ jobs:
       working-directory: ${{ env.BUILD_DIR }}
 
     - name: Upload logs
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
       with:
         name: sprt-logs
         path: logs/sprt

.github/workflows/tag_and_release.yml

@@ -54,7 +54,7 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       with:
         fetch-depth: 0
 
@@ -68,7 +68,7 @@ jobs:
       run: pre-commit install --install-hooks
 
     - name: Import GPG key
-      uses: crazy-max/ghaction-import-gpg@v7
+      uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7
       with:
         gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
         passphrase: ${{ secrets.GPG_PASSPHRASE }}
@@ -132,22 +132,22 @@ jobs:
 
     - name: Ensure Clang version
       if: runner.os == 'Linux' && matrix.preset == 'clang'
-      uses: egor-tensin/setup-clang@v2.1
+      uses: egor-tensin/setup-clang@471a6f8ef1d449dba8e1a51780e7f943572a3f99 # v2.1
       with:
         version: 21
 
     - name: Ensure CMake 4.0
-      uses: lukka/get-cmake@v4.2.3
+      uses: lukka/get-cmake@f176ccd3f28bda569c43aae4894f06b2435a3375 # v4.2.3
 
     - name: Import signing certificate to keychain
       if: runner.os == 'macOS'
-      uses: Apple-Actions/import-codesign-certs@v6.0.0
+      uses: Apple-Actions/import-codesign-certs@b610f78488812c1e56b20e6df63ec42d833f2d14 # v6.0.0
       with:
         p12-file-base64: ${{ secrets.CODESIGN_CERT_FILE_BASE64 }}
         p12-password: ${{ secrets.CODESIGN_CERT_PASSWORD }}
 
     - name: Checkout code
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       with:
         ref: ${{ needs.bump_version.outputs.tag_name }}
 
@@ -164,7 +164,7 @@ jobs:
         cmake --install ${{ env.BUILD_DIR }} --prefix ${{ env.DEPLOY_DIR }} --component ben_bot --config Release
 
     - name: Upload artifact
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
       with:
         name: BenBot-${{ matrix.os }}-${{ matrix.preset }}
         path: ${{ env.DEPLOY_DIR }}
@@ -197,7 +197,7 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       with:
         ref: ${{ needs.bump_version.outputs.tag_name }}
 
@@ -207,7 +207,7 @@ jobs:
 
     - name: Download artifacts
       id: download
-      uses: actions/download-artifact@v8
+      uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8
       with:
         path: artifacts
 
@@ -216,7 +216,7 @@ jobs:
       working-directory: .github/scripts
 
     - name: Create release
-      uses: softprops/action-gh-release@v2
+      uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
       with:
         tag_name: ${{ needs.bump_version.outputs.tag_name }}
         files: ${{ env.REZIPPED_ARTIFACTS }}/**
@@ -243,13 +243,13 @@ jobs:
 
     steps:
     - name: Login to Docker
-      uses: docker/login-action@v4
+      uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4
       with:
         username: benvining
         password: ${{ secrets.DOCKERHUB_TOKEN }}
 
     - name: Checkout code
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       with:
         ref: ${{ needs.bump_version.outputs.tag_name }}
 
@@ -288,7 +288,7 @@ jobs:
 
     steps:
     - name: Update & restart Docker image
-      uses: appleboy/ssh-action@v1
+      uses: appleboy/ssh-action@0ff4204d59e8e51228ff73bce53f80d53301dee2 # v1
       with:
         host: ${{ secrets.VPS_IP_V4 }}
         username: root