[Security] Pin GitHub Actions to a full-length commit SHA (#1104)

## Pin GitHub Actions to SHA hashes

This automated PR pins third-party GitHub Actions references from
mutable tag versions (e.g., `@v4`) to their corresponding SHA hashes
(e.g., `@abc123...`). The original tag is preserved as a comment for
readability. Your workflows will work exactly the same way. Internal
actions (under the `DataDog` organization) are not pinned.

Read
https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions
for more details and info on how to configure this for entire repos.

### Why pin GitHub Actions?

Git tags are mutable: they can be moved to point to different commits at
any time. A compromised or malicious action maintainer could update a
tag to inject arbitrary code into your CI workflows (see the [tj-actions
incident](https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066)).
Pinning to SHA hashes ensures you always run the exact code you
reviewed, protecting your repository from supply chain attacks such as
the tj-actions incident.

### What if something breaks?

If a pinned action doesn't work for your use case, you can push a commit
directly to this branch to fix it. As a last resort, reach out to
**#sdlc-security** on Slack.

### Set up Dependabot or Renovate for automatic updates

Once actions are pinned to SHA hashes, you should configure Dependabot
or Renovate to receive weekly update PRs when new versions are
available.

In the case of Dependabot, create or update `.github/dependabot.yml`:
```yaml
version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      github-actions:
        patterns:
          - "*"
    open-pull-requests-limit: 10
```

Dependabot will automatically propose PRs that update both the SHA hash
and the version comment like [in this
example](DataDog/datadog-agent#46761).

---
*This PR was automatically generated by the GitHub Actions Pinning tool,
owned by #sdlc-security.*

Author: juliendoutre

.github/workflows/codeql-analysis.yml

@@ -25,11 +25,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v6.0.2
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
+      uses: github/codeql-action/init@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -38,7 +38,7 @@ jobs:
         # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v4
+      uses: github/codeql-action/autobuild@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4
+      uses: github/codeql-action/analyze@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0

.github/workflows/publish-serverless-init-to-ghcr.yml

@@ -43,7 +43,7 @@ jobs:
           crane version
 
       - name: Login to GHCR
-        uses: docker/login-action@v4
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.github/workflows/release-serverless-init.yml

@@ -45,9 +45,9 @@ jobs:
         ]
     name: "Release Serverless Init (isAlpine: ${{ matrix.arrays.isAlpine }})"
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: DataDog/datadog-agent
           ref: ${{ github.event.inputs.agentBranch }}
@@ -66,7 +66,7 @@ jobs:
           image: tonistiigi/binfmt:qemu-v10.1.3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
       - name: Build binaries
         working-directory: ./scripts
@@ -87,15 +87,15 @@ jobs:
           cp ./scripts/serverless_init_dotnet.sh ./scripts/bin/
 
       - name: Login to GHCR
-        uses: docker/login-action@v4
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push
         id: docker_build
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           context: ./scripts
           file: ./scripts/${{ matrix.arrays.dockerFile }}
@@ -106,7 +106,7 @@ jobs:
 
       - name: Build and push latest
         id: docker_build_latest
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         if: ${{ github.event.inputs.latestTag == 'yes' }}
         with:
           context: ./scripts

.github/workflows/rs_ci.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-22.04
     timeout-minutes: 3
     steps:
-      - uses: styfle/cancel-workflow-action@0.13.1
+      - uses: styfle/cancel-workflow-action@d07a454dad7609a92316b57b23c9ccfd4f59af66 # v0.13.1
         with:
           access_token: ${{ secrets.GITHUB_TOKEN }}
           all_but_latest: true # can cancel workflows scheduled later
@@ -31,7 +31,7 @@ jobs:
       SCCACHE_GHA_ENABLED: "true"
       RUSTC_WRAPPER: "sccache"
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       # Install protobuf compiler for linux. The versions bundled with Ubuntu
       # 20.04 and 22.04 are too old -- our messages require protobuf >= 3.15 --
@@ -44,10 +44,10 @@ jobs:
           unzip "protoc-${{ env.PB_VERSION }}-${{ env.PB_TARGET }}.zip" -d "$HOME/.local"
           export PATH="$PATH:$HOME/.local/bin"
 
-      - uses: actions-rust-lang/setup-rust-toolchain@v1.15.3
+      - uses: actions-rust-lang/setup-rust-toolchain@a0b538fa0b742a6aa35d6e2c169b4bd06d225a98 # v1.15.3
         with:
           cache: false
-      - uses: mozilla-actions/sccache-action@v0.0.9
+      - uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9
       - working-directory: bottlecap
         run: cargo check --workspace
 
@@ -59,7 +59,7 @@ jobs:
       SCCACHE_GHA_ENABLED: "true"
       RUSTC_WRAPPER: "sccache"
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       # Install protobuf compiler for linux. The versions bundled with Ubuntu
       # 20.04 and 22.04 are too old -- our messages require protobuf >= 3.15 --
@@ -72,11 +72,11 @@ jobs:
           unzip "protoc-${{ env.PB_VERSION }}-${{ env.PB_TARGET }}.zip" -d "$HOME/.local"
           export PATH="$PATH:$HOME/.local/bin"
 
-      - uses: actions-rust-lang/setup-rust-toolchain@v1.15.3
+      - uses: actions-rust-lang/setup-rust-toolchain@a0b538fa0b742a6aa35d6e2c169b4bd06d225a98 # v1.15.3
         with:
           components: clippy
           cache: false
-      - uses: mozilla-actions/sccache-action@v0.0.9
+      - uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9
       # We need to do these separately because the fips feature is incompatible with the default feature.
       - working-directory: bottlecap
         run: cargo clippy --workspace --all-targets --features default
@@ -91,7 +91,7 @@ jobs:
       SCCACHE_GHA_ENABLED: "true"
       RUSTC_WRAPPER: "sccache"
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       # Install protobuf compiler for linux. The versions bundled with Ubuntu
       # 20.04 and 22.04 are too old -- our messages require protobuf >= 3.15 --
@@ -104,10 +104,10 @@ jobs:
           unzip "protoc-${{ env.PB_VERSION }}-${{ env.PB_TARGET }}.zip" -d "$HOME/.local"
           export PATH="$PATH:$HOME/.local/bin"
 
-      - uses: actions-rust-lang/setup-rust-toolchain@v1.15.3
+      - uses: actions-rust-lang/setup-rust-toolchain@a0b538fa0b742a6aa35d6e2c169b4bd06d225a98 # v1.15.3
         with:
           cache: false
-      - uses: mozilla-actions/sccache-action@v0.0.9
+      - uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9
       - working-directory: bottlecap
         run: cargo build --all
 
@@ -119,7 +119,7 @@ jobs:
       SCCACHE_GHA_ENABLED: "true"
       RUSTC_WRAPPER: "sccache"
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       # Install protobuf compiler for linux. The versions bundled with Ubuntu
       # 20.04 and 22.04 are too old -- our messages require protobuf >= 3.15 --
@@ -132,13 +132,13 @@ jobs:
           unzip "protoc-${{ env.PB_VERSION }}-${{ env.PB_TARGET }}.zip" -d "$HOME/.local"
           export PATH="$PATH:$HOME/.local/bin"
 
-      - uses: actions-rust-lang/setup-rust-toolchain@v1.15.3
+      - uses: actions-rust-lang/setup-rust-toolchain@a0b538fa0b742a6aa35d6e2c169b4bd06d225a98 # v1.15.3
         with:
           cache: false
-      - uses: taiki-e/install-action@v2
+      - uses: taiki-e/install-action@cbb1dcaa26e1459e2876c39f61c1e22a1258aac5 # v2.68.33
         with:
           tool: nextest@0.9
-      - uses: mozilla-actions/sccache-action@v0.0.9
+      - uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9
       - working-directory: bottlecap
         run: cargo nextest run --workspace
 
@@ -149,8 +149,8 @@ jobs:
       matrix:
         os: [ubuntu-22.04, macos-latest]
     steps:
-      - uses: actions/checkout@v6.0.2
-      - uses: actions-rust-lang/setup-rust-toolchain@v1.15.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions-rust-lang/setup-rust-toolchain@a0b538fa0b742a6aa35d6e2c169b4bd06d225a98 # v1.15.3
         with:
           components: rustfmt
           cache: false
@@ -163,7 +163,7 @@ jobs:
     name: "Valid LICENSE-3rdparty.csv"
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v6.0.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - run: cargo install dd-rust-license-tool --locked
       - run: dd-rust-license-tool check
         working-directory: bottlecap
@@ -176,7 +176,7 @@ jobs:
       checks: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6.0.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Scan Rust dependencies with cargo-audit
         uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0
         with:

.github/workflows/test-qemu-versions.yml

@@ -83,7 +83,7 @@ jobs:
           - "tonistiigi/binfmt:qemu-v7.0.0-28"
     name: "QEMU ${{ matrix.qemu_image }}"
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a #v4.0.0
@@ -94,7 +94,7 @@ jobs:
         run: docker run --rm --privileged ${{ matrix.qemu_image }} --version
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
       # Simple docker run tests — catches deterministically broken versions
       # (v9.2.0 and v8.1.5 consistently fail here; v8.1.4 is flaky).