Pin the versions of CI actions to commit sha's (#865)

Author: mhucka

.github/workflows/ci-build-checks.yaml

@@ -6,6 +6,7 @@
 # Bazel artifacts, and can be invoked manually via the "Run workflow" button at
 # https://github.com/tensorflow/quantum/actions/workflows/ci-build-checks.yaml
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# yamllint disable rule:line-length
 
 name: CI build checks
 run-name: Continuous integration build & test
@@ -178,12 +179,12 @@ jobs:
       debug: ${{steps.parameters.outputs.debug}}
     steps:
       - name: Check out a copy of the TFQ git repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
         # Note: setup-python has a cache facility, but we don't use it here
         # because we want to cache more Python things than setup-python does.
       - name: Set up Python ${{inputs.python_ver || env.python_ver}}
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
         with:
           python-version: ${{inputs.python_ver || env.python_ver}}
 
@@ -218,7 +219,7 @@ jobs:
           fi
 
       - name: Test if the cache already exists
-        uses: actions/cache@v4
+        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4
         id: check_cache
         with:
           lookup-only: true
@@ -241,7 +242,7 @@ jobs:
           steps.check_cache.outputs.cache-hit != 'true' ||
           inputs.remake_python_cache == 'true'
         name: Set up the Python cache
-        uses: actions/cache@v4
+        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4
         id: restore_cache
         with:
           key: ${{steps.parameters.outputs.python_cache_key}}
@@ -269,22 +270,22 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Check out a copy of the TFQ git repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
         with:
           python-version: ${{inputs.python_ver || env.python_ver}}
 
       - name: Restore our Python cache
-        uses: actions/cache@v4
+        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4
         with:
           key: ${{needs.Setup.outputs.python_cache_key}}
           path: ${{needs.Setup.outputs.python_cache_paths}}
           fail-on-cache-miss: true
 
       - name: Set up Bazel
-        uses: bazel-contrib/[email protected]
+        uses: bazel-contrib/setup-bazel@c50333a3696ad2e6df1e7a2f9b417c5336db774f # 0.12.0
         # Note that we don't need to set the Bazel version to use, because it
         # knows to use what's in the .bazel-version file.
         with:
@@ -307,7 +308,7 @@ jobs:
           pip install -U ./wheel/*.whl
 
       - name: Save the wheel for the tutorial tests
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
         with:
           name: wheel-${{github.run_id}}
           path: ./wheel
@@ -316,7 +317,7 @@ jobs:
 
       - if: failure() || needs.Setup.outputs.debug == 'true'
         name: Make Bazel artifacts downloadable for analysis
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
         with:
           name: bazel-build-artifacts-${{github.run_id}}
           retention-days: 14
@@ -338,22 +339,22 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Check out a copy of the TFQ git repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
         with:
           python-version: ${{inputs.python_ver || env.python_ver}}
 
       - name: Restore our Python cache
-        uses: actions/cache@v4
+        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4
         with:
           key: ${{needs.Setup.outputs.python_cache_key}}
           path: ${{needs.Setup.outputs.python_cache_paths}}
           fail-on-cache-miss: true
 
       - name: Get the Python wheel we built
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4
         with:
           name: wheel-${{github.run_id}}
           path: ./wheel
@@ -374,22 +375,22 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Check out a copy of the TFQ git repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
         with:
           python-version: ${{inputs.python_ver || env.python_ver}}
 
       - name: Restore our Python cache
-        uses: actions/cache@v4
+        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4
         with:
           key: ${{needs.Setup.outputs.python_cache_key}}
           path: ${{needs.Setup.outputs.python_cache_paths}}
           fail-on-cache-miss: true
 
       - name: Set up Bazel
-        uses: bazel-contrib/[email protected]
+        uses: bazel-contrib/setup-bazel@c50333a3696ad2e6df1e7a2f9b417c5336db774f # 0.12.0
         with:
           bazelrc: ${{env.bazelrc_additions}}
           bazelisk-cache: true
@@ -407,7 +408,7 @@ jobs:
 
       - if: failure() || needs.Setup.outputs.debug == 'true'
         name: Make Bazel artifacts downloadable for analysis
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
         with:
           name: bazel-tests-${{github.run_id}}
           retention-days: 7
@@ -428,22 +429,22 @@ jobs:
     needs: [Decision, Setup, Build_wheel]
     steps:
       - name: Check out a copy of the TFQ git repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
         with:
           python-version: ${{inputs.python_ver || env.python_ver}}
 
       - name: Restore our Python cache
-        uses: actions/cache@v4
+        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4
         with:
           key: ${{needs.Setup.outputs.python_cache_key}}
           path: ${{needs.Setup.outputs.python_cache_paths}}
           fail-on-cache-miss: true
 
       - name: Get the Python wheel we built
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4
         with:
           name: wheel-${{github.run_id}}
           path: ./wheel
@@ -473,22 +474,22 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Check out a copy of the TFQ git repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
         with:
           python-version: ${{inputs.python_ver || env.python_ver}}
 
       - name: Restore our Python cache
-        uses: actions/cache@v4
+        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4
         with:
           key: ${{needs.Setup.outputs.python_cache_key}}
           path: ${{needs.Setup.outputs.python_cache_paths}}
           fail-on-cache-miss: true
 
       - name: Set up Bazel
-        uses: bazel-contrib/[email protected]
+        uses: bazel-contrib/setup-bazel@c50333a3696ad2e6df1e7a2f9b417c5336db774f # 0.12.0
         with:
           bazelrc: ${{env.bazelrc_additions}}
           bazelisk-cache: true

.github/workflows/ci-file-checks.yaml

@@ -109,10 +109,10 @@ jobs:
           echo base=${{github.ref_name}} >> "$GITHUB_ENV"
 
       - name: Check out a copy of the TFQ git repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Determine files changed by this ${{github.event_name}} event
-        uses: dorny/paths-filter@v3
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
         id: filter
         with:
           base: ${{env.base}}
@@ -142,12 +142,12 @@ jobs:
       cache_paths: ${{steps.parameters.outputs.cache_paths}}
     steps:
       - name: Check out a copy of the TFQ git repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
         # Note: setup-python has a cache facility, but we don't use it here
         # because we want to cache more Python things than setup-python does.
       - name: Set up Python ${{inputs.python_ver || env.python_ver}}
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
         with:
           python-version: ${{inputs.python_ver || env.python_ver}}
 
@@ -167,7 +167,7 @@ jobs:
           } >> "$GITHUB_OUTPUT"
 
       - name: Test if the cache already exists
-        uses: actions/cache@v4
+        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4
         id: check_cache
         with:
           lookup-only: true
@@ -190,7 +190,7 @@ jobs:
           steps.check_cache.outputs.cache-hit != 'true' ||
           inputs.remake_python_cache == 'true'
         name: Set up the Python cache
-        uses: actions/cache@v4
+        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4
         id: restore_cache
         with:
           key: ${{steps.parameters.outputs.cache_key}}
@@ -227,7 +227,7 @@ jobs:
       changed_files: ${{needs.Changes.outputs.cc_files}}
     steps:
       - name: Check out a copy of the TFQ git repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Set up clang-format output problem matcher
         run: echo '::add-matcher::.github/problem-matchers/clang-format.json'
@@ -264,15 +264,15 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Check out a copy of the TFQ git repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
         with:
           python-version: ${{inputs.python_ver || env.python_ver}}
 
       - name: Restore the Python cache
-        uses: actions/cache@v4
+        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4
         with:
           key: ${{needs.Setup.outputs.cache_key}}
           path: ${{needs.Setup.outputs.cache_paths}}
@@ -304,15 +304,15 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Check out a copy of the TFQ git repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
         with:
           python-version: ${{inputs.python_ver || env.python_ver}}
 
       - name: Restore the Python cache
-        uses: actions/cache@v4
+        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4
         with:
           key: ${{needs.Setup.outputs.cache_key}}
           path: ${{needs.Setup.outputs.cache_paths}}
@@ -350,7 +350,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Check out a copy of the TFQ git repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
 
       - name: Set up yamllint output problem matcher
         run: echo '::add-matcher::.github/problem-matchers/yamllint.json'

.github/workflows/ci-nightly-build-test.yaml

@@ -13,6 +13,7 @@
 # This workflow also can be invoked manually via the "Run workflow" button at
 # https://github.com/tensorflow/quantum/actions/workflows/ci-build-checks.yaml
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# yamllint disable rule:line-length
 
 name: CI nightly full test
 run-name: Continuous integration nightly build & test
@@ -61,7 +62,7 @@ jobs:
       run: ${{steps.commits.outputs.count > 0}}
     steps:
       - name: Check out a sparse copy of the git repo for TFQ
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           sparse-checkout: .
 
@@ -79,15 +80,15 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Check out a copy of the TFQ git repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Set up Python ${{inputs.py_version || env.py_version}}
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
         with:
           python-version: ${{inputs.py_version || env.py_version}}
 
       - name: Set up Bazel
-        uses: bazel-contrib/[email protected]
+        uses: bazel-contrib/setup-bazel@f3f50ea6791b9b0f4c4eeabba4507422426462f5 # 0.9.1
         with:
           bazelrc: ${{env.bazelrc_additions}}
 
@@ -123,7 +124,7 @@ jobs:
 
       - if: failure() || inputs.save_artifacts == 'true'
         name: Make artifacts downloadable
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
         with:
           name: test-artifacts
           retention-days: 7