chore(ci): pin actions by commit hash

Protect the repository from malicious retroactive tag modification.

Signed-off-by: Krisztian Szilvasi <34309983+kr-t@users.noreply.github.com>

Author: kr-t

.github/workflows/devcontainer-linux.yml

@@ -26,7 +26,7 @@ jobs:
       - name: Clean workspace
         run: find . -name . -o -prune -exec rm -rf -- {} +
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
 
@@ -60,7 +60,7 @@ jobs:
 
     steps:
       - name: Checkout the code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v4

.github/workflows/devcontainer-zephyr.yml

@@ -26,7 +26,7 @@ jobs:
       - name: Clean workspace
         run: find . -name . -o -prune -exec rm -rf -- {} +
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
 
@@ -54,7 +54,7 @@ jobs:
 
     steps:
       - name: Checkout the code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v4

.github/workflows/formatting-checks.yml

@@ -28,7 +28,7 @@ jobs:
         run: find . -name . -o -prune -exec rm -rf -- {} +
 
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
 

.github/workflows/hardware-bu585.yml

@@ -48,7 +48,7 @@ jobs:
           find . -name . -o -prune -exec rm -rf -- {} +
 
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           path: ocre-runtime
           submodules: recursive
@@ -72,7 +72,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Run mini sample Test Case
         run: |
@@ -102,7 +102,7 @@ jobs:
           find . -name . -o -prune -exec rm -rf -- {} +
 
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           path: ocre-runtime
           submodules: recursive
@@ -126,7 +126,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Run Demo Sample Test Case
         run: |
@@ -156,7 +156,7 @@ jobs:
           find . -name . -o -prune -exec rm -rf -- {} +
 
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           path: ocre-runtime
           submodules: recursive
@@ -188,7 +188,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Supervisor ${{ matrix.test.name }} Testcase
         run: |

.github/workflows/linux.yml

@@ -28,7 +28,7 @@ jobs:
         run: find . -name . -o -prune -exec rm -rf -- {} +
 
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           submodules: true
 
@@ -67,7 +67,7 @@ jobs:
         run: make coverage report.md
 
       - name: Upload coverage report
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: ocre-coverage
           include-hidden-files: true

.github/workflows/zephyr-systests.yml

@@ -36,7 +36,7 @@ jobs:
         run: find . -name . -o -prune -exec rm -rf -- {} +
 
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           path: ocre-runtime
           submodules: true

.github/workflows/zephyr.yml

@@ -38,7 +38,7 @@ jobs:
         run: find . -name . -o -prune -exec rm -rf -- {} +
 
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           path: ocre-runtime
           submodules: true
@@ -67,7 +67,7 @@ jobs:
           echo "BOARD_NAME=$(printf "%s\n" "$BOARD" | tr / _)" >> $GITHUB_ENV
 
       - name: Upload build artifacts
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: ocre-zephyr-${{ env.BOARD_NAME }}-${{ matrix.app }}
           include-hidden-files: true
@@ -99,7 +99,7 @@ jobs:
           echo "BOARD_NAME=$(printf "%s\n" "$BOARD" | tr / _)" >> $GITHUB_ENV
 
       - name: Download build artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8
         with:
           name: ocre-zephyr-${{ env.BOARD_NAME }}-${{ matrix.app }}