From 56d08e1b4d662bd6fe073d07469963c8ff84a61e Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Wed, 18 Sep 2024 09:19:02 +0000
Subject: [PATCH] ci: Harden GitHub Actions

Update GitHub actions to use full length commit ids for
third-party actions to reduce security risk in case of vulnerabilities.

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Co-authored-by: Nikhil-Ladha <nikhilladha1999@gmail.com>
---
 .github/workflows/auto-assign.yaml            |  3 ++-
 .github/workflows/build-multi-stage.yaml      |  3 ++-
 .github/workflows/codespell.yaml              |  3 ++-
 .github/workflows/commitlint.yaml             |  3 ++-
 .github/workflows/dependency-review.yaml      |  6 ++++--
 .github/workflows/go-test.yaml                | 12 ++++++++----
 .github/workflows/golangci-lint.yaml          |  3 ++-
 .github/workflows/lint-extras.yaml            |  3 ++-
 .github/workflows/mergify-copy-labels.yaml    |  2 +-
 .github/workflows/mod-check.yaml              |  3 ++-
 .github/workflows/publish-artifacts.yaml      |  6 ++++--
 .github/workflows/pull-request-commentor.yaml | 18 ++++++++++++------
 .github/workflows/retest.yaml                 |  3 ++-
 .github/workflows/snyk-container-image.yaml   |  9 ++++++---
 .github/workflows/snyk.yaml                   |  6 ++++--
 .github/workflows/stale.yaml                  |  3 ++-
 .github/workflows/test-retest-action.yaml     |  3 ++-
 .github/workflows/tickgit.yaml                |  3 ++-
 18 files changed, 61 insertions(+), 31 deletions(-)

diff --git a/.github/workflows/auto-assign.yaml b/.github/workflows/auto-assign.yaml
index fce7665e5..907e702af 100644
--- a/.github/workflows/auto-assign.yaml
+++ b/.github/workflows/auto-assign.yaml
@@ -11,7 +11,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: take the issue
-        uses: bdougie/take-action@main
+        # yamllint disable-line rule:line-length
+        uses: bdougie/take-action@1439165ac45a7461c2d89a59952cd7d941964b87  # main
         with:
           message: >
             Thanks for taking this issue!
diff --git a/.github/workflows/build-multi-stage.yaml b/.github/workflows/build-multi-stage.yaml
index 333bcc13b..55549c6e6 100644
--- a/.github/workflows/build-multi-stage.yaml
+++ b/.github/workflows/build-multi-stage.yaml
@@ -13,7 +13,8 @@ jobs:
     name: multi-arch-build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      # yamllint disable-line rule:line-length
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
       - name: multi-arch-build
         # yamllint disable-line rule:line-length
         if: ${{ ! contains(github.event.pull_request.labels.*.name, 'ci/skip/multi-arch-build') }}
diff --git a/.github/workflows/codespell.yaml b/.github/workflows/codespell.yaml
index ece48c9f1..2b0de4429 100644
--- a/.github/workflows/codespell.yaml
+++ b/.github/workflows/codespell.yaml
@@ -15,6 +15,7 @@ jobs:
     name: codespell
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      # yamllint disable-line rule:line-length
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
       - name: codespell
         run: make containerized-test TARGET=codespell
diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml
index 7b7b653ba..877151a0f 100644
--- a/.github/workflows/commitlint.yaml
+++ b/.github/workflows/commitlint.yaml
@@ -14,7 +14,8 @@ jobs:
     if: ${{ github.event.pull_request.user.login != 'dependabot[bot]' }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      # yamllint disable-line rule:line-length
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: commitlint
diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml
index fd204ebee..867c2674d 100644
--- a/.github/workflows/dependency-review.yaml
+++ b/.github/workflows/dependency-review.yaml
@@ -15,8 +15,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@v4
+        # yamllint disable-line rule:line-length
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@v4
+        # yamllint disable-line rule:line-length
+        uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c  # v4.3.4
         with:
           allow-ghsas: GHSA-f4w6-3rh6-6q4q
diff --git a/.github/workflows/go-test.yaml b/.github/workflows/go-test.yaml
index da1adca2d..1818375de 100644
--- a/.github/workflows/go-test.yaml
+++ b/.github/workflows/go-test.yaml
@@ -14,7 +14,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout the repo
-        uses: actions/checkout@v4
+        # yamllint disable-line rule:line-length
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332   # v4.1.7
 
       - name: Check generated deploy code
         run: make generate-deploy
@@ -29,20 +30,23 @@ jobs:
     name: e2e-build-test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      # yamllint disable-line rule:line-length
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
       - name: e2e-build-test
         run: make containerized-build TARGET=e2e.test
   go-test:
     name: go-test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      # yamllint disable-line rule:line-length
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
       - name: go-test
         run: make containerized-test TARGET=go-test
   go-test-api:
     name: go-test-api
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      # yamllint disable-line rule:line-length
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
       - name: go-test-api
         run: make containerized-test TARGET=go-test-api
diff --git a/.github/workflows/golangci-lint.yaml b/.github/workflows/golangci-lint.yaml
index 7d18eafb0..f0473ef8d 100644
--- a/.github/workflows/golangci-lint.yaml
+++ b/.github/workflows/golangci-lint.yaml
@@ -13,6 +13,7 @@ jobs:
     name: golangci-lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      # yamllint disable-line rule:line-length
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
       - name: golangci-lint
         run: make containerized-test TARGET=go-lint
diff --git a/.github/workflows/lint-extras.yaml b/.github/workflows/lint-extras.yaml
index de6fcd363..8c04d7eea 100644
--- a/.github/workflows/lint-extras.yaml
+++ b/.github/workflows/lint-extras.yaml
@@ -13,6 +13,7 @@ jobs:
     name: lint-extras
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      # yamllint disable-line rule:line-length
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
       - name: lint-extras
         run: make containerized-test TARGET=lint-extras
diff --git a/.github/workflows/mergify-copy-labels.yaml b/.github/workflows/mergify-copy-labels.yaml
index 3323b438c..dbcdd5c44 100644
--- a/.github/workflows/mergify-copy-labels.yaml
+++ b/.github/workflows/mergify-copy-labels.yaml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Copying labels
-        uses: Mergifyio/gha-mergify-merge-queue-labels-copier@main
+        uses: Mergifyio/gha-mergify-merge-queue-labels-copier@1d2b277f94d52987008ec05b571fb68f2357e63f  # main
         with:
           additional-labels: 'ok-to-test'
           token: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
diff --git a/.github/workflows/mod-check.yaml b/.github/workflows/mod-check.yaml
index b94460ad3..3809d9e39 100644
--- a/.github/workflows/mod-check.yaml
+++ b/.github/workflows/mod-check.yaml
@@ -13,6 +13,7 @@ jobs:
     name: mod-check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      # yamllint disable-line rule:line-length
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
       - name: mod-check
         run: make containerized-test TARGET=mod-check
diff --git a/.github/workflows/publish-artifacts.yaml b/.github/workflows/publish-artifacts.yaml
index b29f7cf2f..066a9681d 100644
--- a/.github/workflows/publish-artifacts.yaml
+++ b/.github/workflows/publish-artifacts.yaml
@@ -18,10 +18,12 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'ceph/ceph-csi'
     steps:
-      - uses: actions/checkout@v4
+      # yamllint disable-line rule:line-length
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
 
       - name: Login to Quay
-        uses: docker/login-action@v3
+        # yamllint disable-line rule:line-length
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567  # v3.3.0
         with:
           registry: quay.io
           username: ${{ secrets.QUAY_IO_USERNAME }}
diff --git a/.github/workflows/pull-request-commentor.yaml b/.github/workflows/pull-request-commentor.yaml
index 4941651a5..d64d74cdd 100644
--- a/.github/workflows/pull-request-commentor.yaml
+++ b/.github/workflows/pull-request-commentor.yaml
@@ -51,7 +51,8 @@ jobs:
           Add comment to trigger external storage tests for Kubernetes
           ${{ matrix.k8s }}
         if: ${{ github.base_ref == matrix.branch }}
-        uses: peter-evans/create-or-update-comment@v4
+        # yamllint disable-line rule:line-length
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043  # v4.0.0
         with:
           token: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
           issue-number: ${{ github.event.pull_request.number }}
@@ -62,7 +63,8 @@ jobs:
           Add comment to trigger helm E2E tests for Kubernetes
           ${{ matrix.k8s }}
         if: ${{ github.base_ref == matrix.branch }}
-        uses: peter-evans/create-or-update-comment@v4
+        # yamllint disable-line rule:line-length
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043  # v4.0.0
         with:
           token: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
           issue-number: ${{ github.event.pull_request.number }}
@@ -70,7 +72,8 @@ jobs:
             /test ci/centos/mini-e2e-helm/k8s-${{ matrix.k8s }}
 
       - name: Add comment to trigger E2E tests for Kubernetes ${{ matrix.k8s }}
-        uses: peter-evans/create-or-update-comment@v4
+        # yamllint disable-line rule:line-length
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043  # v4.0.0
         if: ${{ github.base_ref == matrix.branch }}
         with:
           token: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
@@ -87,7 +90,8 @@ jobs:
 
     steps:
       - name: Add comment to trigger cephfs upgrade tests
-        uses: peter-evans/create-or-update-comment@v4
+        # yamllint disable-line rule:line-length
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043  # v4.0.0
         with:
           token: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
           issue-number: ${{ github.event.pull_request.number }}
@@ -95,7 +99,8 @@ jobs:
             /test ci/centos/upgrade-tests-cephfs
 
       - name: Add comment to trigger rbd upgrade tests
-        uses: peter-evans/create-or-update-comment@v4
+        # yamllint disable-line rule:line-length
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043  # v4.0.0
         with:
           token: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
           issue-number: ${{ github.event.pull_request.number }}
@@ -116,7 +121,8 @@ jobs:
 
     steps:
       - name: remove ok-to-test-label after commenting
-        uses: actions/github-script@v7
+        # yamllint disable-line rule:line-length
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea  # v7.0.1
         with:
           github-token: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
           script: |
diff --git a/.github/workflows/retest.yaml b/.github/workflows/retest.yaml
index 818796275..f99d3f59e 100644
--- a/.github/workflows/retest.yaml
+++ b/.github/workflows/retest.yaml
@@ -15,7 +15,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # path to the retest action
-      - uses: ceph/ceph-csi/actions/retest@devel
+      # yamllint disable-line rule:line-length
+      - uses: ceph/ceph-csi/actions/retest@28dc64dcae3cec8d11d84bdf525bda0ef757c688  # devel
         with:
           GITHUB_TOKEN: ${{ secrets.CEPH_CSI_BOT_TOKEN }}
           required-label: "ci/retry/e2e"
diff --git a/.github/workflows/snyk-container-image.yaml b/.github/workflows/snyk-container-image.yaml
index 74b9b55d2..eabfca77b 100644
--- a/.github/workflows/snyk-container-image.yaml
+++ b/.github/workflows/snyk-container-image.yaml
@@ -26,18 +26,21 @@ jobs:
     if: github.repository == 'ceph/ceph-csi'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      # yamllint disable-line rule:line-length
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
       - name: Build a Docker image
         run: make image-cephcsi
       - name: Run Snyk to check Docker image for vulnerabilities
         continue-on-error: true
-        uses: snyk/actions/docker@master
+        # yamllint disable-line rule:line-length
+        uses: snyk/actions/docker@cdb760004ba9ea4d525f2e043745dfe85bb9077e  # master
         env:
           SNYK_TOKEN: ${{ secrets.SYNK_TOKEN }}
         with:
           image: quay.io/cephcsi/cephcsi:${{ github.base_ref }}
           args: --file=Dockerfilei
       - name: Upload result to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@v3
+        # yamllint disable-line rule:line-length
+        uses: github/codeql-action/upload-sarif@8214744c546c1e5c8f03dde8fab3a7353211988d  # v3.26.7
         with:
           sarif_file: snyk.sarif
diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml
index dd1ed75f7..8ee96f14d 100644
--- a/.github/workflows/snyk.yaml
+++ b/.github/workflows/snyk.yaml
@@ -20,11 +20,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: checkout
-        uses: actions/checkout@v4
+        # yamllint disable-line rule:line-length
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
         with:
           fetch-depth: 0
 
       - name: run Snyk to check for code vulnerabilities
-        uses: snyk/actions/golang@master
+        # yamllint disable-line rule:line-length
+        uses: snyk/actions/golang@cdb760004ba9ea4d525f2e043745dfe85bb9077e  # master
         env:
           SNYK_TOKEN: ${{ secrets.SYNK_TOKEN }}
diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml
index 01fa31fe3..629919591 100644
--- a/.github/workflows/stale.yaml
+++ b/.github/workflows/stale.yaml
@@ -18,7 +18,8 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'ceph/ceph-csi'
     steps:
-      - uses: actions/stale@v9
+      # yamllint disable-line rule:line-length
+      - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e  # v9.0.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           days-before-issue-stale: 30
diff --git a/.github/workflows/test-retest-action.yaml b/.github/workflows/test-retest-action.yaml
index e8578179b..183bda633 100644
--- a/.github/workflows/test-retest-action.yaml
+++ b/.github/workflows/test-retest-action.yaml
@@ -15,7 +15,8 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      # yamllint disable-line rule:line-length
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
 
       - name: Docker build
         # Run cd to avoid loading complete cephcsi directory in docker context
diff --git a/.github/workflows/tickgit.yaml b/.github/workflows/tickgit.yaml
index 2b49b48eb..106e380fd 100644
--- a/.github/workflows/tickgit.yaml
+++ b/.github/workflows/tickgit.yaml
@@ -14,5 +14,6 @@ jobs:
     name: tickgit
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      # yamllint disable-line rule:line-length
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
       - run: make containerized-test TARGET=tickgit