Pin GitHub Actions to commit SHAs

[Divyaasm]

Description

Pin all GitHub Action tag references to their corresponding commit SHAs.

Tags are mutable references that can be force-pushed to point to different commits, making them vulnerable to supply chain attacks. Commit SHAs are immutable and guarantee that the exact reviewed code is executed in CI workflows. This change pins all third-party actions to their current commit SHAs to prevent potential tampering.

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🧪 No relevant tests

🔒 No security concerns identified

✅ No TODO sections

🔀 No multiple PR themes

⚡ Recommended focus areas for review Incorrect SHA The SHA c2498b758c08fb7bc48476509a5fc1b8dd5f7493 is used for opensearch-project/opensearch-build/.github/workflows/get-ci-image-tag.yml@main. This SHA does not correspond to the main branch tag reference being replaced. Using an incorrect SHA defeats the purpose of pinning and may reference unintended code, potentially breaking the workflow or introducing security issues if the SHA points to malicious or incompatible code. uses: opensearch-project/opensearch-build/.github/workflows/get-ci-image-tag.yml@c2498b758c08fb7bc48476509a5fc1b8dd5f7493 # main Incorrect SHA The SHA c2498b758c08fb7bc48476509a5fc1b8dd5f7493 is used for opensearch-project/opensearch-build/.github/workflows/issue-dedupe-detect.yml@main and issue-dedupe-autoclose.yml@main. This SHA does not correspond to the main branch tag reference being replaced. Using an incorrect SHA defeats the purpose of pinning and may reference unintended code, potentially breaking the workflow or introducing security issues. uses: opensearch-project/opensearch-build/.github/workflows/issue-dedupe-detect.yml@c2498b758c08fb7bc48476509a5fc1b8dd5f7493 # main Incorrect SHA The SHA c2498b758c08fb7bc48476509a5fc1b8dd5f7493 is used for opensearch-project/opensearch-build/.github/workflows/code-diff-analyzer.yml@main and code-diff-reviewer.yml@main. This SHA does not correspond to the main branch tag reference being replaced. Using an incorrect SHA defeats the purpose of pinning and may reference unintended code, potentially breaking the workflow or introducing security issues. uses: opensearch-project/opensearch-build/.github/workflows/code-diff-analyzer.yml@c2498b758c08fb7bc48476509a5fc1b8dd5f7493 # main Incorrect SHA The SHA c2498b758c08fb7bc48476509a5fc1b8dd5f7493 is used for opensearch-project/opensearch-build/.github/workflows/get-ci-image-tag.yml@main. This SHA does not correspond to the main branch tag reference being replaced. Using an incorrect SHA defeats the purpose of pinning and may reference unintended code, potentially breaking the workflow or introducing security issues. uses: opensearch-project/opensearch-build/.github/workflows/get-ci-image-tag.yml@c2498b758c08fb7bc48476509a5fc1b8dd5f7493 # main

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Update deprecated action version The pinned SHA b6e674f4b717d7b0ae3baee0fbe79f498905dfde corresponds to v1 which is deprecated and uses Node.js 12. This will cause workflow failures as GitHub Actions no longer supports Node.js 12. Update to use the SHA for v4 instead, which is already used in other workflows. .github/workflows/build.yml [29] - name: Set Up JDK ${{ matrix.java }} - uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: ${{ matrix.java }} Suggestion importance[1-10]: 9 __ Why: The pinned SHA corresponds to deprecated v1 which uses Node.js 12, no longer supported by GitHub Actions. This will cause workflow failures. The suggestion correctly identifies the need to update to v4 SHA used elsewhere in the codebase.	High
General	Update to consistent codecov version The pinned SHA e156083f13aff6830c92fc5faa23505779fbf649 corresponds to v1.2.1 which is outdated. The build-and-test.yml workflow uses v4 with SHA b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238. Update to use the same version for consistency and to benefit from improvements and security fixes. .github/workflows/security-knn-tests.yml [107] - name: Uploads coverage with: fetch-depth: 2 - uses: codecov/codecov-action@e156083f13aff6830c92fc5faa23505779fbf649 # v1.2.1 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4 Suggestion importance[1-10]: 6 __ Why: The suggestion correctly identifies that codecov/codecov-action@v1.2.1 is outdated compared to v4 used in other workflows. Updating ensures consistency and access to improvements, though the impact is moderate as v1.2.1 may still function.	Low