[Security] Pin GitHub Actions to a full-length commit SHA (#44)

## Pin GitHub Actions to SHA hashes

This automated PR pins third-party GitHub Actions references from mutable tag versions (e.g., `@v4`) to their corresponding SHA hashes (e.g., `@abc123...`). The original tag is preserved as a comment for readability. Your workflows will work exactly the same way. Internal actions (under the `DataDog` organization) are not pinned.

Read https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions for more details and info on how to configure this for entire repos.

### Why pin GitHub Actions?

Git tags are mutable: they can be moved to point to different commits at any time. A compromised or malicious action maintainer could update a tag to inject arbitrary code into your CI workflows (see the [tj-actions incident](https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066)). Pinning to SHA hashes ensures you always run the exact code you reviewed, protecting your repository from supply chain attacks such as the tj-actions incident.

### What if something breaks?

If a pinned action doesn't work for your use case, you can push a commit directly to this branch to fix it. As a last resort, reach out to **#sdlc-security** on Slack.

### Set up Dependabot or Renovate for automatic updates

Once actions are pinned to SHA hashes, you should configure Dependabot or Renovate to receive weekly update PRs when new versions are available.

In the case of Dependabot, create or update `.github/dependabot.yml`:
```yaml
version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      github-actions:
        patterns:
          - "*"
    open-pull-requests-limit: 10
```

Dependabot will automatically propose PRs that update both the SHA hash and the version comment like [in this example](DataDog/datadog-agent#46761).

---
*This PR was automatically generated by the GitHub Actions Pinning tool, owned by #sdlc-security.*


Co-authored-by: julien.doutre <julien.doutre@datadoghq.com>

Author: juliendoutre

.github/workflows/dev.yml

@@ -12,7 +12,7 @@ jobs:
     container:
       image: datadog/docker-library:dd-trace-cpp-ci
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - run: ./scripts/codestyle.sh lint
 
   build:
@@ -21,7 +21,7 @@ jobs:
     container:
       image: datadog/docker-library:httpd-datadog-ci-2.4-cdb3cb2
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           submodules: true
       - name: Add cloned repo as safe
@@ -33,7 +33,7 @@ jobs:
           cmake --build build -j --verbose
           cmake --install build --prefix dist
       - name: Export library
-        uses:  actions/upload-artifact@v4
+        uses:  actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: mod_datadog_artifact
           path: dist/lib/mod_datadog.so
@@ -51,12 +51,12 @@ jobs:
       DD_CIVISIBILITY_AGENTLESS_ENABLED: true
       LLVM_PROFILE_FILE: /tmp/httpd.%p-%m.profraw
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - run: |
           pip install -r requirements.txt --break-system-packages
           pip install ddtrace --break-system-packages
       - name: Import library from build job
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: mod_datadog_artifact
           path: dist/lib
@@ -69,7 +69,7 @@ jobs:
           llvm-profdata merge -sparse /tmp/*.profraw -o /tmp/default.profdata 
           llvm-cov export dist/lib/mod_datadog.so -format=lcov -instr-profile=/tmp/default.profdata -ignore-filename-regex=/httpd/ > coverage.lcov
       - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
         with:
           files: coverage.lcov
           name: github-actions

.github/workflows/release.yml

@@ -7,7 +7,7 @@ jobs:
     container:
       image: datadog/docker-library:httpd-datadog-ci-2.4-cdb3cb2
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           submodules: true
       - name: Add cloned repo as safe
@@ -19,12 +19,12 @@ jobs:
           cmake --build build -j --verbose
           cmake --install build --prefix dist
       - name: Export library
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: mod_datadog_artifact
           path: dist/lib/mod_datadog.so
       - name: Export library (debug symbol)
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: mod_datadog_artifact-debug
           path: dist/lib/mod_datadog.so.debug

.github/workflows/system-tests.yml

@@ -21,7 +21,7 @@ jobs:
     container:
       image: datadog/docker-library:httpd-datadog-ci-2.4-cdb3cb2
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           submodules: true
       - name: Add cloned repo as safe
@@ -33,7 +33,7 @@ jobs:
           cmake --build build -j --verbose
           cmake --install build --prefix dist
       - name: Export library
-        uses:  actions/upload-artifact@v4
+        uses:  actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: system_tests_binaries
           path: dist/lib/mod_datadog.so