fix: pin 17 unpinned action(s),extract 7 unsafe expression(s) to env vars

Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard).

Changes:
 .github/workflows/build.yaml   |  8 ++++----
 .github/workflows/publish.yaml | 28 +++++++++++++++++-----------
 .github/workflows/release.yaml | 26 +++++++++++++++++---------
 3 files changed, 38 insertions(+), 24 deletions(-)

Author: dagecko

.github/workflows/build.yaml

@@ -34,7 +34,7 @@ jobs:
       - name: Checkout repo
         uses: actions/checkout@v6
       - name: Check changed files
-        uses: dorny/paths-filter@v3
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
         id: filter
         with:
           filters: |
@@ -98,7 +98,7 @@ jobs:
     if: needs.changes.outputs.helm == 'true'
     steps:
       - uses: actions/checkout@v6
-      - uses: azure/setup-helm@v4
+      - uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - run: helm plugin install https://github.com/instrumenta/helm-kubeval
@@ -151,7 +151,7 @@ jobs:
             test/package-lock.json
       - run: SKIP_SUBMODULE_DEPS=1 npm ci
       - run: npm run test:unit
-      - uses: codecov/codecov-action@v5
+      - uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5
         if: success()
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -167,7 +167,7 @@ jobs:
         with:
           submodules: true
       - run: sudo apt update && sudo apt install -y libkrb5-dev
-      - uses: awalsh128/cache-apt-pkgs-action@latest
+      - uses: awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # latest
         with:
           packages: quilt
           version: 1.0

.github/workflows/publish.yaml

@@ -33,7 +33,7 @@ jobs:
           node-version-file: .node-version
 
       - name: Download npm package from release artifacts
-        uses: robinraju/release-downloader@v1.12
+        uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
         with:
           repository: "coder/code-server"
           tag: ${{ github.event.inputs.version || github.ref_name }}
@@ -43,9 +43,11 @@ jobs:
       # Strip out the v (v4.9.1 -> 4.9.1).
       - name: Get and set VERSION
         run: |
-          TAG="${{ github.event.inputs.version || github.ref_name }}"
+          TAG="${INPUT_VERSION}"
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
+        env:
+          INPUT_VERSION: ${{ github.event.inputs.version || github.ref_name }}
       - run: npm run publish:npm
         env:
           VERSION: ${{ env.VERSION }}
@@ -88,11 +90,13 @@ jobs:
       # Strip out the v (v4.9.1 -> 4.9.1).
       - name: Get and set VERSION
         run: |
-          TAG="${{ github.event.inputs.version || github.ref_name }}"
+          TAG="${INPUT_VERSION}"
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
+        env:
+          INPUT_VERSION: ${{ github.event.inputs.version || github.ref_name }}
       - name: Validate package
-        uses: heyhusen/archlinux-package-action@v3.0.0
+        uses: heyhusen/archlinux-package-action@c9f94059ccbebe8710d31d582f33ef4e84fe575c # v3.0.0
         env:
           VERSION: ${{ env.VERSION }}
         with:
@@ -119,19 +123,19 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
       - name: Login to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -140,19 +144,21 @@ jobs:
       # Strip out the v (v4.9.1 -> 4.9.1).
       - name: Get and set VERSION
         run: |
-          TAG="${{ github.event.inputs.version || github.ref_name }}"
+          TAG="${INPUT_VERSION}"
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
+        env:
+          INPUT_VERSION: ${{ github.event.inputs.version || github.ref_name }}
       - name: Download deb artifacts
-        uses: robinraju/release-downloader@v1.12
+        uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
         with:
           repository: "coder/code-server"
           tag: v${{ env.VERSION }}
           fileName: "*.deb"
           out-file-path: "release-packages"
 
       - name: Download rpm artifacts
-        uses: robinraju/release-downloader@v1.12
+        uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
         with:
           repository: "coder/code-server"
           tag: v${{ env.VERSION }}

.github/workflows/release.yaml

@@ -111,14 +111,16 @@ jobs:
       # Strip out the v (v4.9.1 -> 4.9.1).
       - name: Get and set VERSION
         run: |
-          TAG="${{ inputs.version || github.ref_name }}"
+          TAG="${REF_NAME}"
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
+        env:
+          REF_NAME: ${{ inputs.version || github.ref_name }}
       - env:
           VERSION: ${{ env.VERSION }}
         run: npm run package $PKG_ARCH
 
-      - uses: softprops/action-gh-release@v1
+      - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
         with:
           draft: true
           discussion_category_name: "📣 Announcements"
@@ -171,15 +173,17 @@ jobs:
       # Strip out the v (v4.9.1 -> 4.9.1).
       - name: Get and set VERSION
         run: |
-          TAG="${{ inputs.version || github.ref_name }}"
+          TAG="${REF_NAME}"
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
+        env:
+          REF_NAME: ${{ inputs.version || github.ref_name }}
       - name: Build packages with nfpm
         env:
           VERSION: ${{ env.VERSION }}
         run: npm run package
 
-      - uses: softprops/action-gh-release@v1
+      - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
         with:
           draft: true
           discussion_category_name: "📣 Announcements"
@@ -232,15 +236,17 @@ jobs:
       # Strip out the v (v4.9.1 -> 4.9.1).
       - name: Get and set VERSION
         run: |
-          TAG="${{ inputs.version || github.ref_name }}"
+          TAG="${REF_NAME}"
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
+        env:
+          REF_NAME: ${{ inputs.version || github.ref_name }}
       - name: Build packages with nfpm
         env:
           VERSION: ${{ env.VERSION }}
         run: npm run package
 
-      - uses: softprops/action-gh-release@v1
+      - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
         with:
           draft: true
           discussion_category_name: "📣 Announcements"
@@ -257,7 +263,7 @@ jobs:
         with:
           name: npm-release-package
 
-      - uses: softprops/action-gh-release@v1
+      - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
         with:
           draft: true
           discussion_category_name: "📣 Announcements"
@@ -269,7 +275,7 @@ jobs:
     timeout-minutes: 15
     steps:
       - name: Download artifacts
-        uses: dawidd6/action-download-artifact@v16
+        uses: dawidd6/action-download-artifact@2536c51d3d126276eb39f74d6bc9c72ac6ef30d3 # v16
         id: download
         with:
           branch: ${{ github.ref }}
@@ -284,9 +290,11 @@ jobs:
       # Strip out the v (v4.9.1 -> 4.9.1).
       - name: Get and set VERSION
         run: |
-          TAG="${{ inputs.version || github.ref_name }}"
+          TAG="${REF_NAME}"
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
+        env:
+          REF_NAME: ${{ inputs.version || github.ref_name }}
       - name: Modify version
         env:
           VERSION: ${{ env.VERSION }}