ci: Pin GitHub actions versions

rettichschnidi · rettichschnidi · commit 8576766e98be · 2024-11-15T15:07:42.000+01:00
This will improve our OpenSSF score card result.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -14,7 +14,7 @@ jobs:
 
     steps:
     - name: Checkout code including full history and submodules
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         submodules: true
         fetch-depth: 0
@@ -42,7 +42,7 @@ jobs:
 
     steps:
     - name: Checkout code including full history and submodules
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         submodules: true
         fetch-depth: 0
diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml
@@ -17,7 +17,7 @@ jobs:
 
     steps:
     - name: Checkout code including full history and submodules
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         submodules: true
         fetch-depth: 0
diff --git a/.github/workflows/clang-static-analyzer.yaml b/.github/workflows/clang-static-analyzer.yaml
@@ -8,7 +8,7 @@ jobs:
 
     steps:
     - name: Checkout code including full history and submodules
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         submodules: true
         fetch-depth: 0
@@ -22,7 +22,7 @@ jobs:
       run: tools/ci/run_ci.sh --run-build --scan-build scan-build-14
 
     - name: Upload scan build reports
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
       with:
         name: Clang Static Analyzer Reports
         path: build-wakaama/clang-static-analyzer
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -14,7 +14,7 @@ jobs:
 
     steps:
     - name: Checkout code including full history and submodules
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         submodules: true
         fetch-depth: 0
@@ -25,12 +25,12 @@ jobs:
         sudo apt-get install cmake libcunit1-dev ninja-build unzip wget
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
       with:
         languages: cpp
 
     - name: Build all binaries
       run: tools/ci/run_ci.sh --run-build
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
diff --git a/.github/workflows/compliance.yaml b/.github/workflows/compliance.yaml
@@ -9,7 +9,7 @@ jobs:
 
     steps:
     - name: Checkout code including full history
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         fetch-depth: 0
 
diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml
@@ -8,7 +8,7 @@ jobs:
 
     steps:
     - name: Checkout code including full history and submodules
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         submodules: true
         fetch-depth: 0
@@ -26,7 +26,7 @@ jobs:
           --test-coverage html
 
     - name: Upload HTML coverage report
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
       with:
         name: Coverage Report (HTML)
         path: build-wakaama/coverage
diff --git a/.github/workflows/documentation.yaml b/.github/workflows/documentation.yaml
@@ -10,7 +10,7 @@ jobs:
 
     steps:
     - name: Checkout code including full history and submodules
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Install dependencies from APT repository
       run:  |
@@ -21,7 +21,7 @@ jobs:
       run: tools/ci/run_ci.sh --run-doxygen
 
     - name: Upload Doxygen documentation
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
       with:
         name: Doxygen documentation (HTML)
         path: build-wakaama/doxygen
diff --git a/.github/workflows/macos.yaml b/.github/workflows/macos.yaml
@@ -12,7 +12,7 @@ jobs:
 
     steps:
     - name: Checkout code including full history and submodules
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         submodules: true
         fetch-depth: 0
diff --git a/.github/workflows/multiarch.yaml b/.github/workflows/multiarch.yaml
@@ -11,12 +11,12 @@ jobs:
         arch: ["armv6", "armv7", "aarch64", "s390x", "ppc64le"]
     steps:
     - name: Checkout code including full history and submodules
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         submodules: true
         fetch-depth: 0
     - name: Build and test
-      uses: uraimo/run-on-arch-action@v2.8.1
+      uses: uraimo/run-on-arch-action@5397f9e30a9b62422f302092631c99ae1effcd9e # v2.8.1
       id: runcmd
       with:
         arch: ${{ matrix.arch }}
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -52,7 +52,7 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
         with:
           sarif_file: results.sarif
 
diff --git a/.github/workflows/sonarcloud-scan.yaml b/.github/workflows/sonarcloud-scan.yaml
@@ -8,7 +8,7 @@ jobs:
 
     steps:
     - name: Checkout code including full history and submodules
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         submodules: true
         fetch-depth: 0
@@ -19,7 +19,7 @@ jobs:
         sudo apt-get install cmake gcovr libcunit1-dev ninja-build unzip wget
 
     - name:  Install sonar-scanner and build-wrapper
-      uses: sonarsource/sonarcloud-github-c-cpp@v2
+      uses: sonarsource/sonarcloud-github-c-cpp@e4882e1621ad2fb48dddfa48287411bed34789b1 # v2.0.2
 
     - name: Collect test coverage data
       run: |
