Merge pull request #4995 from arturcic/fix/sonar-s7637-pin-actions

ci: pin GitHub Actions to full commit SHAs (S7637)

Author: arturcic

.github/actions/artifacts-attest/action.yml

@@ -5,7 +5,7 @@ runs:
   using: 'composite'
   steps:
     - name: 'Attestation'
-      uses: actions/attest-build-provenance@v4.1.0
+      uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4.1.1
       with:
         subject-path: |
           ${{ github.workspace }}/artifacts/packages/native

.github/actions/artifacts-restore/action.yml

@@ -4,25 +4,25 @@ description: 'Artifacts restore'
 runs:
   using: 'composite'
   steps:
-    - uses: actions/download-artifact@v8
+    - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       name: Download native linux packages
       with:
         name: native-Linux
         path: ${{ github.workspace }}/artifacts/packages/native
 
-    - uses: actions/download-artifact@v8
+    - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       name: Download native windows packages
       with:
         name: native-Windows
         path: ${{ github.workspace }}/artifacts/packages/native
 
-    - uses: actions/download-artifact@v8
+    - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       name: Download native macos packages
       with:
         name: native-macOS
         path: ${{ github.workspace }}/artifacts/packages/native
 
-    - uses: actions/download-artifact@v8
+    - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       name: Download nuget packages
       with:
         name: nuget

.github/actions/cache-restore/action.yml

@@ -6,19 +6,19 @@ runs:
   steps:
     - name: Use cached cake frosting
       id: cache-cake
-      uses: actions/cache@v5
+      uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
       with:
         path: run
         key: run-${{ runner.os }}-${{ hashFiles('./build/**') }}
 
     - name: Use cached tools
       id: cache-tools
-      uses: actions/cache@v5
+      uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
       with:
         path: tools
         key: tools-${{ runner.os }}-${{ hashFiles('./build/**') }}
 
     - name: Setup .NET SDK
-      uses: actions/setup-dotnet@v5
+      uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5.4.0
       with:
         global-json-file: global.json

.github/actions/docker-manifests/action.yml

@@ -24,7 +24,7 @@ runs:
   using: 'composite'
   steps:
     - name: Login to DockerHub
-      uses: docker/login-action@v4
+      uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
       with:
         username: ${{ inputs.docker_registry_username }}
         password: ${{ inputs.docker_registry_password }}
@@ -40,7 +40,7 @@ runs:
               --docker_distro=$env:DOCKER_DISTRO --docker_registry dockerhub
 
     - name: Login to GitHub
-      uses: docker/login-action@v4
+      uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
       with:
         registry: ghcr.io
         username: ${{ inputs.github_registry_username }}

.github/actions/docker-publish/action.yml

@@ -27,7 +27,7 @@ runs:
   using: 'composite'
   steps:
     - name: Login to DockerHub
-      uses: docker/login-action@v4
+      uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
       with:
         username: ${{ inputs.docker_registry_username }}
         password: ${{ inputs.docker_registry_password }}
@@ -44,7 +44,7 @@ runs:
               --docker_distro=$env:DOCKER_DISTRO --docker_registry dockerhub --verbosity=diagnostic
 
     - name: Login to GitHub
-      uses: docker/login-action@v4
+      uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
       with:
         registry: ghcr.io
         username: ${{ inputs.github_registry_username }}

.github/actions/docker-setup/action.yml

@@ -5,6 +5,6 @@ runs:
   using: 'composite'
   steps:
     - name: Set up Docker
-      uses: docker/setup-docker-action@v5
+      uses: docker/setup-docker-action@0234bb73ccb40f0c430b795634f9247e2b5c2d23 # v5.2.0
       with:
         daemon-config: '{ "features": { "containerd-snapshotter": true } }'

.github/actions/docker-test/action.yml

@@ -15,7 +15,7 @@ runs:
   using: 'composite'
   steps:
     - name: '[Docker Build & Test] DockerHub'
-      uses: nick-fields/retry@v4
+      uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
       with:
         shell: pwsh
         timeout_minutes: 30
@@ -27,7 +27,7 @@ runs:
                 --docker_distro=${{ inputs.docker_distro }} --docker_registry dockerhub --verbosity=diagnostic
 
     - name: '[Docker Build & Test] GitHub'
-      uses: nick-fields/retry@v4
+      uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
       with:
         shell: pwsh
         timeout_minutes: 30

.github/workflows/_artifacts_linux.yml

@@ -29,20 +29,20 @@ jobs:
         dotnet_version: ${{ fromJson(inputs.dotnet_versions) }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v7
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           fetch-depth: 0
 
       - name: Restore State
         uses: ./.github/actions/cache-restore
 
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         name: Download nuget packages
         with:
           name: nuget
           path: ${{ github.workspace }}/artifacts/packages/nuget
 
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         name: Download native packages
         with:
           name: native-Linux
@@ -52,7 +52,7 @@ jobs:
         uses: ./.github/actions/docker-setup
 
       - name: '[Test Artifacts]'
-        uses: nick-fields/retry@v4
+        uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
         with:
           shell: pwsh
           timeout_minutes: 30

.github/workflows/_artifacts_windows.yml

@@ -16,21 +16,21 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v7
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           fetch-depth: 0
 
       - name: Restore State
         uses: ./.github/actions/cache-restore
 
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         name: Download nuget packages
         with:
           name: nuget
           path: ${{ github.workspace }}/artifacts/packages/nuget
 
       - name: '[Test Artifacts]'
-        uses: nick-fields/retry@v4
+        uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
         with:
           shell: pwsh
           timeout_minutes: 30

.github/workflows/_build.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v7
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           fetch-depth: 0
 
@@ -28,21 +28,21 @@ jobs:
         run: dotnet run/build.dll --target=Package
 
       - name: 'Upload nuget packages'
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: matrix.os == 'windows-2025-vs2026'
         with:
           name: nuget
           path: ${{ github.workspace }}/artifacts/packages/nuget
 
       - name: 'Upload native packages'
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: matrix.os == 'windows-2025-vs2026'
         with:
           name: native-${{ runner.os }}
           path: ${{ github.workspace }}/artifacts/packages/native/*.zip
 
       - name: 'Upload native packages'
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: matrix.os != 'windows-2025-vs2026'
         with:
           name: native-${{ runner.os }}