ci(workflows): pin actions to full sha (#34)

* ci(workflows): pin actions to full sha

Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com>

* ci(dependabot): add configuration for GitHub Actions updates

Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com>

* fix: issue template path

Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com>

* fix: format script block for Azure DevOps token retrieval

Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com>

---------

Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com>

Author: DariuszPorowski

.github/workflows/ISSUE_TEMPLATE/bug.md .github/ISSUE_TEMPLATE/bug.md.github/workflows/ISSUE_TEMPLATE/bug.md renamed to .github/ISSUE_TEMPLATE/bug.md

@@ -0,0 +1,18 @@
+# yaml-language-server: $schema=https://www.schemastore.org/dependabot-2.0.json
+# See GitHub's documentation for more information on this file:
+# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference
+---
+version: 2
+
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    commit-message:
+      prefix: ci
+      include: scope
+    groups:
+      all:
+        patterns:
+          - "*"

.github/dependabot.yml

@@ -1,3 +1,5 @@
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
+---
 name: Sync issue to Azure DevOps work item
 
 on:
@@ -23,27 +25,31 @@ jobs:
       # Auth using Azure Service Principals was added as a part of v2.3
       # reference: https://github.com/danhellem/github-actions-issue-to-work-item/pull/143
       - name: Login to Azure
-        uses: azure/login@v2
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
         with:
           client-id: ${{ vars.AZURE_SP_DEVOPS_SYNC_CLIENT_ID }}
           tenant-id: ${{ vars.AZURE_SP_DEVOPS_SYNC_TENANT_ID }}
           allow-no-subscriptions: true
+
       - name: Get Azure DevOps token
         id: get_ado_token
-        run:
+        run: |
           # The resource ID for Azure DevOps is always 499b84ac-1321-427f-aa17-267ca6975798
           # https://learn.microsoft.com/azure/devops/integrate/get-started/authentication/service-principal-managed-identity
-          echo "ADO_TOKEN=$(az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query "accessToken" --output tsv)" >> $GITHUB_ENV
+          ADO_TOKEN=$(az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query "accessToken" --output tsv)
+          echo "::add-mask::$ADO_TOKEN"
+          echo "ADO_TOKEN=$ADO_TOKEN" >> $GITHUB_ENV
+
       - name: Sync issue to Azure DevOps
-        uses: danhellem/github-actions-issue-to-work-item@v2.3
+        uses: danhellem/github-actions-issue-to-work-item@8d0ead9b49a65aa66dac6949b1ff149d7ef8b4de # v2.5
         env:
           ado_token: ${{ env.ADO_TOKEN }}
-          github_token: '${{ secrets.GH_RAD_CI_BOT_PAT }}'
-          ado_organization: 'azure-octo'
-          ado_project: 'Incubations'
+          github_token: ${{ secrets.GH_RAD_CI_BOT_PAT }}
+          ado_organization: azure-octo
+          ado_project: Incubations
           ado_area_path: "Incubations\\Radius"
           ado_iteration_path: "Incubations\\Radius"
-          ado_new_state: 'New'
-          ado_active_state: 'Active'
-          ado_close_state: 'Closed'
-          ado_wit: 'GitHub Issue'
+          ado_new_state: New
+          ado_active_state: Active
+          ado_close_state: Closed
+          ado_wit: GitHub Issue

.github/workflows/issues.yml

@@ -1,3 +1,5 @@
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
+---
 name: Radius Website
 
 on:
@@ -16,51 +18,55 @@ jobs:
     if: github.event.action != 'closed'
     runs-on: ubuntu-latest
     env:
-      GOVER: '^1.17'
+      GOVER: "^1.17"
       HUGO_ENV: production
-      SWA_BASE: 'brave-pond-00b49761e'
+      SWA_BASE: brave-pond-00b49761e
     steps:
       - name: Checkout website repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+
       - name: Setup Hugo
-        uses: peaceiris/actions-hugo@v2.5.0
+        uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3.0.0
         with:
           hugo-version: 0.102.3
           extended: true
+
       - name: Build Hugo Site
         run: |
           if [ $GITHUB_EVENT_NAME == 'pull_request' ]; then
             STAGING_URL="https://${SWA_BASE}-${{github.event.number}}.3.azurestaticapps.net/"
           fi
           hugo ${STAGING_URL+-b "$STAGING_URL"}
+
       - name: Upload Hugo artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: hugo_build
           path: ./public/
           if-no-files-found: error
-  
+
   deploy:
     name: Deploy Hugo Website
-    needs: ['build']
+    needs: ["build"]
     runs-on: ubuntu-latest
     environment:
       name: latest
       url: https://radapp.io
     steps:
       - name: Download Hugo artifacts
-        uses: actions/download-artifact@v4.1.7
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: hugo_build
           path: site/
+
       - name: Deploy static web app
-        uses: Azure/static-web-apps-deploy@v1
+        uses: Azure/static-web-apps-deploy@4d27395796ac319302594769cfe812bd207490b1 # v1
         with:
           azure_static_web_apps_api_token: ${{ secrets.SWA_TOKEN }}
           skip_deploy_on_missing_secrets: true
           repo_token: ${{ secrets.GITHUB_TOKEN }}
-          action: "upload"
-          app_location: "site/"
-          api_location: "site/" 
+          action: upload
+          app_location: site/
+          api_location: site/
           output_location: ""
           skip_app_build: true

.github/workflows/main.yml

@@ -1,3 +1,5 @@
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
+---
 name: Spellcheck
 
 on:
@@ -13,7 +15,7 @@ on:
       - edge
 
 env:
-  ACTION_LINK: '${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}'
+  ACTION_LINK: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
 
 concurrency:
   group: spellcheck-${{ github.ref }}-${{ github.event.pull_request.number || github.sha }}
@@ -23,37 +25,42 @@ jobs:
     name: Spellcheck
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout docs
-      uses: actions/checkout@v4
-    - name: Spellcheck
-      uses: rojopolis/spellcheck-github-actions@0.36.0
-      with:
-        config_path: .github/config/.pyspelling.yml
-    - name: Post GitHub workkflow output on failure
-      if: failure()
-      run: |
-        echo "## :x: Spellcheck Failed" >> $GITHUB_STEP_SUMMARY
-        echo "There are spelling errors in your PR. Visit [the workflow output](${{ env.ACTION_LINK }}) to see what words are failing." >> $GITHUB_STEP_SUMMARY
-        echo "### Adding new words" >> $GITHUB_STEP_SUMMARY
-        echo "If you are adding a new custom word refer to the [docs guide](https://docs.radapp.io/contributing/docs/#spelling)" >> $GITHUB_STEP_SUMMARY
-    - name: Post GitHub workflow output on success
-      run: |
-        echo "## :white_check_mark: Spellcheck Passed" >> $GITHUB_STEP_SUMMARY
-        echo "There are no spelling errors in your PR." >> $GITHUB_STEP_SUMMARY
-    - name: Post GitHub comment on failure
-      if: failure()
-      uses: marocchino/sticky-pull-request-comment@v2
-      with:
-        header: spellcheck
-        recreate: true
-        message: |
-          ## :x: Spellcheck Failed
-          There are spelling errors in your PR. Visit [the workflow output](${{ env.ACTION_LINK }}) to see what words are failing.
-          ### Adding new words
-          If you are adding a new custom word refer to the [docs guide](https://docs.radapp.io/contributing/docs/#spelling)
-    - name: Clear GitHub comment on success
-      uses: marocchino/sticky-pull-request-comment@v2
-      continue-on-error: true
-      with:
-        header: spellcheck
-        delete: true
+      - name: Checkout docs
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+
+      - name: Spellcheck
+        uses: rojopolis/spellcheck-github-actions@6f2326b663e2dbab920da0fc4144b9f3202434ba # 0.54.0
+        with:
+          config_path: .github/config/.pyspelling.yml
+
+      - name: Post GitHub workkflow output on failure
+        if: failure()
+        run: |
+          echo "## :x: Spellcheck Failed" >> $GITHUB_STEP_SUMMARY
+          echo "There are spelling errors in your PR. Visit [the workflow output](${{ env.ACTION_LINK }}) to see what words are failing." >> $GITHUB_STEP_SUMMARY
+          echo "### Adding new words" >> $GITHUB_STEP_SUMMARY
+          echo "If you are adding a new custom word refer to the [docs guide](https://docs.radapp.io/contributing/docs/#spelling)" >> $GITHUB_STEP_SUMMARY
+
+      - name: Post GitHub workflow output on success
+        run: |
+          echo "## :white_check_mark: Spellcheck Passed" >> $GITHUB_STEP_SUMMARY
+          echo "There are no spelling errors in your PR." >> $GITHUB_STEP_SUMMARY
+
+      - name: Post GitHub comment on failure
+        if: failure()
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
+        with:
+          header: spellcheck
+          recreate: true
+          message: |
+            ## :x: Spellcheck Failed
+            There are spelling errors in your PR. Visit [the workflow output](${{ env.ACTION_LINK }}) to see what words are failing.
+            ### Adding new words
+            If you are adding a new custom word refer to the [docs guide](https://docs.radapp.io/contributing/docs/#spelling)
+
+      - name: Clear GitHub comment on success
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
+        continue-on-error: true
+        with:
+          header: spellcheck
+          delete: true

.github/workflows/spellcheck.yaml

@@ -1,3 +1,4 @@
 **.lock
 _gen/
 .DS_Store
+public/*