test(deps): update all workflow actions, pin to SHA w/descriptive comments

- removes deprecation warnings about node20 still being in use (updates)
- incremental step to better software supply chain security (pinned SHAs)

Author: mikehardy

.github/workflows/create_test_patches.yml

@@ -28,16 +28,19 @@ jobs:
     name: Create patch-package Patches
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      # https://github.com/actions/checkout/releases
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       # Future ideas:
       # - make into an action, parameterize directories to pack, and package names to install
       # - name patches w/PR as "semver prerelease" and SHA as "semver build info". Needs patch-package enhancement.
-      - uses: actions/setup-node@v4
+      # https://github.com/actions/setup-node/releases
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: 22
 
-      - uses: actions/cache/restore@v4
+      # https://github.com/actions/cache/releases
+      - uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         name: Yarn Cache Restore
         id: yarn-cache
         continue-on-error: true
@@ -47,7 +50,8 @@ jobs:
           restore-keys: ${{ runner.os }}-yarn-v1
 
       - name: Yarn Install
-        uses: nick-fields/retry@v3
+        # https://github.com/nick-fields/retry/releases
+        uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
         with:
           timeout_minutes: 15
           retry_wait_seconds: 60
@@ -86,12 +90,14 @@ jobs:
         shell: bash
 
       - name: Upload Test Patches
-        uses: actions/upload-artifact@v4
+        # https://github.com/actions/upload-artifact/releases
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: patches
           path: ~/template/patches/
 
-      - uses: actions/cache/save@v4
+      # https://github.com/actions/cache/releases
+      - uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         name: Yarn Cache Save
         if: "${{ github.ref == 'refs/heads/main' }}"
         continue-on-error: true

.github/workflows/deploy-api-reference.yml

@@ -17,10 +17,12 @@ jobs:
     name: 'Build API Reference'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      # https://github.com/actions/checkout/releases
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
-      - uses: actions/setup-node@v6
+      # https://github.com/actions/setup-node/releases
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: lts/*
           registry-url: 'https://registry.npmjs.org'
@@ -30,7 +32,8 @@ jobs:
           npm install -g npm@latest
           npm --version
       - name: Yarn Install
-        uses: nick-fields/retry@v4
+        # https://github.com/nick-fields/retry/releases
+        uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
         with:
           timeout_minutes: 15
           retry_wait_seconds: 60
@@ -40,7 +43,8 @@ jobs:
         run: yarn reference:api:gh-pages
       - name: Upload API reference artifact
         id: deployment
-        uses: actions/upload-pages-artifact@v3
+        # https://github.com/actions/upload-pages-artifact/releases
+        uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0
         with:
           path: ./apidocs-out
 
@@ -54,4 +58,5 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        # https://github.com/actions/deploy-pages/releases
+        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0

.github/workflows/docs.yml

@@ -18,13 +18,16 @@ jobs:
     name: 'Spelling & Grammar'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      # https://github.com/actions/checkout/releases
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 1
-      - uses: actions/setup-node@v4
+      # https://github.com/actions/setup-node/releases
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: 22
-      - uses: actions/cache/restore@v4
+      # https://github.com/actions/cache/releases
+      - uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         name: Yarn Cache Restore
         id: yarn-cache
         continue-on-error: true
@@ -33,7 +36,8 @@ jobs:
           key: ${{ runner.os }}-yarn-v1-${{ hashFiles('yarn.lock') }}
           restore-keys: ${{ runner.os }}-yarn-v1
       - name: Yarn Install
-        uses: nick-fields/retry@v3
+        # https://github.com/nick-fields/retry/releases
+        uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
         with:
           timeout_minutes: 15
           retry_wait_seconds: 30
@@ -44,7 +48,8 @@ jobs:
       - name: Spell check
         run: |
           yarn lint:spellcheck
-      - uses: actions/cache/save@v4
+      # https://github.com/actions/cache/releases
+      - uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         name: Yarn Cache Save
         if: "${{ github.ref == 'refs/heads/main' }}"
         continue-on-error: true

.github/workflows/issue-labels.yaml

@@ -22,23 +22,26 @@ jobs:
 
       - name: Add 'Needs Attention' label if OP responded and it was open
         if: env.op_comment == 'true' && github.event.issue.state == 'open'
-        uses: actions-ecosystem/action-add-labels@v1
+        # https://github.com/actions-ecosystem/action-add-labels/releases
+        uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1
         with:
           labels: 'Needs Attention'
         env:
           GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
 
       - name: Remove 'blocked customer-response' label if OP responded and it was open
         if: env.op_comment == 'true' && github.event.issue.state == 'open'
-        uses: actions-ecosystem/action-remove-labels@v1
+        # https://github.com/actions-ecosystem/action-remove-labels/releases
+        uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1
         with:
           labels: 'blocked: customer-response'
         env:
           GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
 
       - name: Add comment if OP responded but issue was closed
         if: env.op_comment == 'true' && github.event.issue.state == 'closed'
-        uses: actions-ecosystem/action-create-comment@v1
+        # https://github.com/actions-ecosystem/action-create-comment/releases
+        uses: actions-ecosystem/action-create-comment@e23bc59fbff7aac7f9044bd66c2dc0fe1286f80b # v1
         with:
           github_token: ${{ secrets.GH_TOKEN }}
           body: |

.github/workflows/linting.yml

@@ -19,18 +19,22 @@ jobs:
     timeout-minutes: 30
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      # https://github.com/actions/checkout/releases
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 1
-      - uses: actions/setup-node@v4
+      # https://github.com/actions/setup-node/releases
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: 22
       - name: Configure JDK
-        uses: actions/setup-java@v4
+        # https://github.com/actions/setup-java/releases
+        uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
         with:
           distribution: 'temurin'
           java-version: '21'
-      - uses: actions/cache/restore@v4
+      # https://github.com/actions/cache/releases
+      - uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         name: Yarn Cache Restore
         id: yarn-cache
         continue-on-error: true
@@ -39,20 +43,23 @@ jobs:
           key: ${{ runner.os }}-yarn-v1-${{ hashFiles('yarn.lock') }}
           restore-keys: ${{ runner.os }}-yarn-v1
       - name: Yarn Install
-        uses: nick-fields/retry@v3
+        # https://github.com/nick-fields/retry/releases
+        uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
         with:
           timeout_minutes: 15
           retry_wait_seconds: 30
           max_attempts: 3
           command: yarn
       - name: Lint
-        uses: nick-fields/retry@v3
+        # https://github.com/nick-fields/retry/releases
+        uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
         with:
           timeout_minutes: 3
           retry_wait_seconds: 10
           max_attempts: 3
           command: yarn lint
-      - uses: actions/cache/save@v4
+      # https://github.com/actions/cache/releases
+      - uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         name: Yarn Cache Save
         if: "${{ github.ref == 'refs/heads/main' }}"
         continue-on-error: true
@@ -66,13 +73,16 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@v4
+      # https://github.com/actions/checkout/releases
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 1
-      - uses: actions/setup-node@v4
+      # https://github.com/actions/setup-node/releases
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: 22
-      - uses: actions/cache/restore@v4
+      # https://github.com/actions/cache/releases
+      - uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         name: Yarn Cache Restore
         id: yarn-cache
         continue-on-error: true
@@ -81,15 +91,17 @@ jobs:
           key: ${{ runner.os }}-yarn-v1-${{ hashFiles('yarn.lock') }}
           restore-keys: ${{ runner.os }}-yarn-v1
       - name: Yarn Install
-        uses: nick-fields/retry@v3
+        # https://github.com/nick-fields/retry/releases
+        uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
         with:
           timeout_minutes: 15
           retry_wait_seconds: 30
           max_attempts: 3
           command: yarn
       - name: Lint
         run: yarn tsc:compile
-      - uses: actions/cache/save@v4
+      # https://github.com/actions/cache/releases
+      - uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         name: Yarn Cache Save
         if: "${{ github.ref == 'refs/heads/main' }}"
         continue-on-error: true
@@ -103,13 +115,16 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@v4
+      # https://github.com/actions/checkout/releases
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 1
-      - uses: actions/setup-node@v4
+      # https://github.com/actions/setup-node/releases
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: 22
-      - uses: actions/cache/restore@v4
+      # https://github.com/actions/cache/releases
+      - uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         name: Yarn Cache Restore
         id: yarn-cache
         continue-on-error: true
@@ -118,15 +133,17 @@ jobs:
           key: ${{ runner.os }}-yarn-v1-${{ hashFiles('yarn.lock') }}
           restore-keys: ${{ runner.os }}-yarn-v1
       - name: Yarn Install
-        uses: nick-fields/retry@v3
+        # https://github.com/nick-fields/retry/releases
+        uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
         with:
           timeout_minutes: 15
           retry_wait_seconds: 30
           max_attempts: 3
           command: yarn
       - name: Consumer Type Test
         run: yarn tsc:compile:consumer
-      - uses: actions/cache/save@v4
+      # https://github.com/actions/cache/releases
+      - uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         name: Yarn Cache Save
         if: "${{ github.ref == 'refs/heads/main' }}"
         continue-on-error: true
@@ -140,13 +157,16 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@v4
+      # https://github.com/actions/checkout/releases
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 1
-      - uses: actions/setup-node@v4
+      # https://github.com/actions/setup-node/releases
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: 22
-      - uses: actions/cache/restore@v4
+      # https://github.com/actions/cache/releases
+      - uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         name: Yarn Cache Restore
         id: yarn-cache
         continue-on-error: true
@@ -155,15 +175,17 @@ jobs:
           key: ${{ runner.os }}-yarn-with-website-v1-${{ hashFiles('yarn.lock') }}
           restore-keys: ${{ runner.os }}-yarn-with-website-v1
       - name: Yarn Install
-        uses: nick-fields/retry@v3
+        # https://github.com/nick-fields/retry/releases
+        uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
         with:
           timeout_minutes: 15
           retry_wait_seconds: 30
           max_attempts: 3
           command: yarn
       - name: Generate TypeDoc
         run: yarn reference:api
-      - uses: actions/cache/save@v4
+      # https://github.com/actions/cache/releases
+      - uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         name: Yarn Cache Save
         if: "${{ github.ref == 'refs/heads/main' }}"
         continue-on-error: true

.github/workflows/pr_title.yml

@@ -17,10 +17,12 @@ jobs:
     env:
       GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
     steps:
-      - uses: actions/setup-node@v4
+      # https://github.com/actions/setup-node/releases
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: 22
-      - uses: amannn/action-semantic-pull-request@v5
+      # https://github.com/amannn/action-semantic-pull-request/releases
+      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
         with:
           validateSingleCommit: true
           validateSingleCommitMatchesPrTitle: true

.github/workflows/publish.yml

@@ -13,12 +13,14 @@ jobs:
       id-token: write # enables OIDC for npmjs.com "Trusted Publisher" and provenance
       contents: read
     steps:
-      - uses: actions/checkout@v6
+      # https://github.com/actions/checkout/releases
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
           # Repository admin required to evade PR+checks branch protection
           token: ${{ secrets.GH_TOKEN }}
-      - uses: actions/setup-node@v6
+      # https://github.com/actions/setup-node/releases
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: lts/*
           registry-url: 'https://registry.npmjs.org'
@@ -29,7 +31,8 @@ jobs:
           npm install -g npm@latest
           npm --version
       - name: Yarn Install
-        uses: nick-fields/retry@v3
+        # https://github.com/nick-fields/retry/releases
+        uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
         with:
           timeout_minutes: 15
           retry_wait_seconds: 60