Pin reusable workflow actions to full commit SHAs (#4155)

* Pin reusable workflow actions to full commit SHAs

datadog-api-spec enforces a policy requiring all actions to be pinned
to full commit SHAs; tag references like @v3/@v4 are rejected at job
setup, causing all test jobs to fail.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Pin post-status-check action in test.yml to full commit SHA

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* disable static checks for now

* remove it completely

* Pin gotestsum to v1.12.3 to support Go 1.22/1.23

gotestsum@latest resolved to v1.13.0 which requires Go >= 1.24.0,
breaking the test matrix that runs on Go 1.22.x and 1.23.x.
v1.12.3 is the latest release that supports Go 1.23.

* Pin all remaining workflow actions to full commit SHAs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Fix gotestsum pin to v1.12.1 to support Go 1.22

v1.12.3 requires Go 1.23.0, which breaks the Go 1.22.x matrix job.
v1.12.1 requires only Go 1.21 and works across both 1.22.x and 1.23.x.

* Drop Go 1.22 from test matrix; align tests/go.mod to go 1.23

golang.org/x/net v0.36.0 (already in tests/go.sum) requires Go 1.23+.
Go 1.22 reached EOL and the test module already implicitly required 1.23
via its dependencies. Remove 1.22 from the staticcheck and test matrices
and update tests/go.mod to declare go 1.23 honestly.

* Revert "Drop Go 1.22 from test matrix; align tests/go.mod to go 1.23"

This reverts commit 863afcf.

* Restore GOTOOLCHAIN=auto to unblock Go 1.22 test job

setup-go v6 (used since pinning actions to SHAs) sets GOTOOLCHAIN=local,
which prevents Go from auto-selecting the go1.23.7 toolchain declared in
tests/go.mod. The previous successful runs relied on this auto-selection
(setup-go v4 did not set GOTOOLCHAIN=local). Adding GOTOOLCHAIN=auto to
the test step restores the original behavior without changing any deps.

Also reverts gotestsum back to @latest since GOTOOLCHAIN=auto allows it
to download the required toolchain, matching the working run.

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: nogates

.github/workflows/approved_status.yml

@@ -25,13 +25,13 @@ jobs:
     steps:
       - name: Get GitHub App token
         id: get_token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1
         with:
           app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
           private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
           repositories: datadog-api-spec
       - name: Post PR review status check
-        uses: DataDog/github-actions/post-review-status@v2
+        uses: DataDog/github-actions/post-review-status@65b4875f33ad773d7ba4b005a2cb5f35020295f3 # v2.3.0
         with:
           github-token: ${{ steps.get_token.outputs.token }}
           repo: datadog-api-spec

.github/workflows/codeql-analysis.yml

@@ -25,15 +25,15 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4
         with:
           go-version: 1.22.x
 
     # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # v2
         with:
           languages: ${{ matrix.language }}
           source-root: api
@@ -44,7 +44,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@cdcdbb579706841c47f7063dda365e292e5cad7a # v2
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a # v2

.github/workflows/docs.yml

@@ -13,10 +13,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Install Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4
         with:
           go-version: 1.22.x
 
@@ -27,7 +27,7 @@ jobs:
           go install github.com/johnstarich/go/gopages@latest
           gopages -source-link "https://github.com/DataDog/datadog-api-client-go/blob/master/{{.Path}}{{if .Line}}#L{{.Line}}{{end}}" -brand-description "Datadog API client for GO" -brand-title "Datadog" -base /datadog-api-client-go
 
-      - uses: peaceiris/actions-gh-pages@v3
+      - uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./dist

.github/workflows/labeler.yml

@@ -11,6 +11,6 @@ jobs:
   triage:
     runs-on: ubuntu-latest
     steps:
-      - uses: DataDog/labeler@glob-all
+      - uses: DataDog/labeler@5170395583c7f7ec92989fd24faffc5b6154b866 # glob-all
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/reusable-examples.yml

@@ -15,7 +15,7 @@ jobs:
     outputs:
       matrix: ${{ steps.split.outputs.matrix }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: DataDog/datadog-api-client-go
           ref: ${{ inputs.target-branch || github.ref }}
@@ -31,12 +31,12 @@ jobs:
       matrix:
         group: ${{ fromJson(needs.prepare.outputs.matrix) }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: DataDog/datadog-api-client-go
           ref: ${{ inputs.target-branch || github.ref }}
       - name: Install Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: 1.22.x
           cache: true

.github/workflows/reusable-go-test.yml

@@ -30,30 +30,19 @@ jobs:
     runs-on: ${{ matrix.platform }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: DataDog/datadog-api-client-go
           ref: ${{ inputs.target-branch || github.ref }}
       - name: Install Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: ${{ matrix.go-version }}
           cache: true
           cache-dependency-path: |
             go.sum
             tests/go.sum
-      - name: Staticcheck (api module)
-        uses: dominikh/staticcheck-action@v1
-        with:
-          checks: "-SA1009"
-          working-directory: api
-          cache-key: ${{ matrix.go-version }}
-      - name: Staticcheck (tests module)
-        uses: dominikh/staticcheck-action@v1
-        with:
-          checks: "inherit,-SA1019"
-          cache-key: ${{ matrix.go-version }}
-          working-directory: tests
+
   test:
     strategy:
       matrix:
@@ -63,12 +52,12 @@ jobs:
     runs-on: ${{ matrix.platform }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: DataDog/datadog-api-client-go
           ref: ${{ inputs.target-branch || github.ref }}
       - name: Install Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: ${{ matrix.go-version }}
           cache: true
@@ -77,6 +66,7 @@ jobs:
         run: ./scripts/run-tests.sh
         env:
           TESTARGS: ${{ matrix.go-build-tags }}
+          GOTOOLCHAIN: auto
 
   build-terraform-provider:
     if: false # temporarily disabled

.github/workflows/reusable-integration-test.yml

@@ -85,26 +85,26 @@ jobs:
       - name: Get GitHub App token
         if: github.event_name == 'pull_request'
         id: get_token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
         with:
           app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
           private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
           repositories: ${{ inputs.target-repo || 'datadog-api-spec' }}
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: DataDog/datadog-api-client-go
           ref: ${{ inputs.target-branch || github.ref }}
       - name: Post pending status check
         if: github.event_name == 'pull_request' && contains(github.event.pull_request.head.ref, 'datadog-api-spec/generated/') && (inputs.enable-status-reporting || github.event_name != 'workflow_call')
-        uses: DataDog/github-actions/post-status-check@v2
+        uses: DataDog/github-actions/post-status-check@65b4875f33ad773d7ba4b005a2cb5f35020295f3 # v2.3.0
         with:
           github-token: ${{ steps.get_token.outputs.token }}
           repo: ${{ inputs.target-repo || 'datadog-api-spec' }}
           status: pending
           context: ${{ inputs.status-context || 'integration' }}
       - name: Install Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: 1.22.x
           cache: true
@@ -124,15 +124,15 @@ jobs:
           SLEEP_AFTER_REQUEST: ${{ secrets.SLEEP_AFTER_REQUEST || vars.SLEEP_AFTER_REQUEST }}
       - name: Post failure status check
         if: failure() && github.event_name == 'pull_request' && contains(github.event.pull_request.head.ref, 'datadog-api-spec/generated/') && (inputs.enable-status-reporting || github.event_name != 'workflow_call')
-        uses: DataDog/github-actions/post-status-check@v2
+        uses: DataDog/github-actions/post-status-check@65b4875f33ad773d7ba4b005a2cb5f35020295f3 # v2.3.0
         with:
           github-token: ${{ steps.get_token.outputs.token }}
           repo: ${{ inputs.target-repo || 'datadog-api-spec' }}
           status: failure
           context: ${{ inputs.status-context || 'integration' }}
       - name: Post success status check
         if: "!failure() && github.event_name == 'pull_request' && contains(github.event.pull_request.head.ref, 'datadog-api-spec/generated/') && (inputs.enable-status-reporting || github.event_name != 'workflow_call')"
-        uses: DataDog/github-actions/post-status-check@v2
+        uses: DataDog/github-actions/post-status-check@65b4875f33ad773d7ba4b005a2cb5f35020295f3 # v2.3.0
         with:
           github-token: ${{ steps.get_token.outputs.token }}
           repo: ${{ inputs.target-repo || 'datadog-api-spec' }}

.github/workflows/reusable-pre-commit.yml

@@ -30,29 +30,29 @@ jobs:
       - name: Get GitHub App token
         id: get_token
         if: inputs.enable-commit-changes
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
         with:
           app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
           private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           repository: DataDog/datadog-api-client-go
           ref: ${{ inputs.target-branch || github.event.pull_request.head.sha || github.ref }}
           token: ${{ inputs.enable-commit-changes && steps.get_token.outputs.token || github.token }}
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: '3.11'
       - name: Install pre-commit
         run: python -m pip install pre-commit
       - name: set PY
         run: echo "PY=$(python -c 'import platform;print(platform.python_version())')" >> $GITHUB_ENV
-      - uses: actions/cache@v3
+      - uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
         with:
           path: ~/.cache/pre-commit
           key: pre-commit|${{ env.PY }}|${{ hashFiles('.pre-commit-config.yaml') }}
       - name: Install Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: 1.22.x
       - name: Determine pre-commit range

.github/workflows/stale.yml

@@ -16,7 +16,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           stale-issue-message: >-

.github/workflows/test.yml

@@ -66,7 +66,7 @@ jobs:
           scope: DataDog/datadog-api-spec
           policy: datadog-api-client-go.github.post-status-check.pr
       - name: Post status check
-        uses: DataDog/github-actions/post-status-check@v2
+        uses: DataDog/github-actions/post-status-check@65b4875f33ad773d7ba4b005a2cb5f35020295f3 # v2.3.0
         with:
           github-token: ${{ steps.octo-sts.outputs.token }}
           repo: datadog-api-spec