[StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <[email protected]>

.github/workflows/bats.yaml

@@ -56,7 +56,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Fetch install script
-      uses: actions/checkout@v4
+      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       with:
         persist-credentials: false
         sparse-checkout-cone-mode: false
@@ -110,7 +110,7 @@ jobs:
     runs-on: ${{ matrix.host }}
     steps:
     - name: Fetch install script
-      uses: actions/checkout@v4
+      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       with:
         persist-credentials: false
         sparse-checkout-cone-mode: false
@@ -318,7 +318,7 @@ jobs:
 
     - name: Upload logs
       if: ${{ !cancelled() }}
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
       with:
         name: ${{ steps.log_name.outputs.name }}
         path: logs/
@@ -331,17 +331,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Fetch summarizer script
-      uses: actions/checkout@v4
+      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       with:
         persist-credentials: false
         sparse-checkout-cone-mode: false
         sparse-checkout: |
           package.json
           .github/workflows/bats/summarize.mjs
-    - uses: actions/setup-node@v4
+    - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
       with:
         node-version-file: package.json
-    - uses: actions/download-artifact@v4
+    - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
       with:
         pattern: "*.logs"
     - run: node .github/workflows/bats/summarize.mjs

.github/workflows/github-runner-build-image.yaml

@@ -18,13 +18,13 @@ jobs:
     - run: >-
         zypper --non-interactive install python3-kiwi kiwi-systemdeps-disk-images sudo tar
     - run: echo 'ALL ALL=(ALL:ALL) NOPASSWD:ALL' > /etc/sudoers.d/nopasswd
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       with:
         persist-credentials: false
         sparse-checkout: src/disk-images/github-runner-linux
     - run: ./build-image.sh
       working-directory: src/disk-images/github-runner-linux
-    - uses: actions/upload-artifact@v4
+    - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
       with:
         name: github-runner-image.qcow2.zip
         path: src/disk-images/github-runner-linux/*.qcow2

.github/workflows/github-runner-monitor-build.yaml

@@ -16,13 +16,13 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       with:
         persist-credentials: false
         sparse-checkout: |
           src/go/github-runner-monitor
           .github/workflows/config
-    - uses: actions/setup-go@v5
+    - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
         go-version-file: go.work
         cache-dependency-path: src/go/github-runner-monitor/go.sum
@@ -31,12 +31,12 @@ jobs:
       env:
         CGO_ENABLED: '0'
         GOWORK: off
-    - uses: actions/upload-artifact@v4
+    - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
       with:
         name: github-runner-linux
         path: src/go/github-runner-monitor/github-runner-monitor
         if-no-files-found: error
-    - uses: golangci/[email protected]
+    - uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
       # This is only safe because this workflow does not allow writing
       with:
         args: --config=${{ github.workspace }}/.github/workflows/config/.golangci.yaml  --verbose --timeout 3m

.github/workflows/go-work-sync.yaml

@@ -25,15 +25,15 @@ jobs:
       id-token: write # Required for ./.github/actions/get-token
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       with:
         ref: ${{ github.base_ref }}
     - id: get-token
       uses: ./.github/actions/get-token
       with:
         token-secret: ${{ secrets.RUN_WORKFLOW_FROM_WORKFLOW }}
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       with:
         persist-credentials: true
         ref: ${{ github.head_ref }}

.github/workflows/linux-e2e.yaml

@@ -16,7 +16,7 @@ jobs:
     timeout-minutes: 150
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           persist-credentials: false
       - uses: ./.github/actions/yarn-install
@@ -43,7 +43,7 @@ jobs:
           CI: true
         timeout-minutes: 150
       - name: Upload failure reports
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         if: always()
         with:
           name: failure-reports.zip

.github/workflows/linux-release.yaml

@@ -13,7 +13,7 @@ jobs:
   linux-release:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       with:
         persist-credentials: false
         fetch-depth: 0

.github/workflows/macM1-e2e.yaml

@@ -13,7 +13,7 @@ jobs:
     env:
       M1: 1
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           persist-credentials: false
           ref: main
@@ -48,7 +48,7 @@ jobs:
         if: failure()
         run: mkdir -p ./e2e/reports
       - name: Upload Artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         if: failure()
         with:
           name: e2etest-artifacts

.github/workflows/package.yaml

@@ -50,7 +50,7 @@ jobs:
           runs-on: ubuntu-20.04
     runs-on: ${{ matrix.runs-on }}
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       with:
         persist-credentials: false
         # Needed to run `git describe` to get full version info
@@ -62,42 +62,42 @@ jobs:
       if: matrix.platform == 'linux'
       run: make -C bats bats.tar.gz
     - name: Upload bats.tar.gz
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
       if: matrix.platform == 'linux'
       with:
         name: bats.tar.gz
         path: bats/bats.tar.gz
         if-no-files-found: error
     - name: Upload mac disk image
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
       if: matrix.platform == 'mac'
       with:
         name: Rancher Desktop.${{ matrix.arch }}.dmg
         path: dist/Rancher Desktop*.dmg
         if-no-files-found: error
     - name: Upload mac zip
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
       if: matrix.platform == 'mac'
       with:
         name: Rancher Desktop-mac.${{ matrix.arch }}.zip
         path: dist/Rancher Desktop*.zip
         if-no-files-found: error
     - name: Upload Windows installer
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
       if: matrix.platform == 'win'
       with:
         name: Rancher Desktop Setup.msi
         path: dist/Rancher.Desktop*.msi
         if-no-files-found: error
     - name: Upload Windows zip
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
       if: matrix.platform == 'win'
       with:
         name: Rancher Desktop-win.zip
         path: dist/Rancher Desktop-*-win.zip
         if-no-files-found: error
     - name: Upload Linux zip
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
       if: matrix.platform == 'linux'
       with:
         name: Rancher Desktop-linux.zip
@@ -142,11 +142,11 @@ jobs:
     permissions:
       contents: read
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       with:
         persist-credentials: false
     - uses: ./.github/actions/yarn-install
-    - uses: actions/download-artifact@v4
+    - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
       name: Download artifact
       with:
         name: Rancher Desktop-win.zip
@@ -195,11 +195,11 @@ jobs:
     permissions:
       contents: read
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       with:
         persist-credentials: false
     - uses: ./.github/actions/yarn-install
-    - uses: actions/download-artifact@v4
+    - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
       name: Download artifact
       with:
         name: Rancher Desktop-mac.${{ matrix.arch }}.zip

.github/workflows/paths-ignore.yaml

@@ -54,7 +54,7 @@ jobs:
         echo "$PATHS_IGNORE" >> "$GITHUB_ENV"
       env:
         INPUT: ${{ inputs.paths-ignore-globs }}
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       if: github.event_name == 'pull_request'
       with:
         fetch-depth: 0

.github/workflows/rdx-host-api-tests.yaml

@@ -13,23 +13,23 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       with:
         persist-credentials: false
-    - uses: docker/setup-qemu-action@v3
-    - uses: docker/setup-buildx-action@v3
-    - uses: docker/metadata-action@v5
+    - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+    - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+    - uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
       id: meta
       with:
         images: |
           ghcr.io/${{ github.repository }}/rdx-host-api-test
         tags: type=raw,value=latest,enable={{ is_default_branch }}
-    - uses: docker/login-action@v3
+    - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
       with:
         registry: ghcr.io
         username: ${{ github.actor }}
         password: ${{ github.token }}
-    - uses: docker/build-push-action@v6
+    - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
       with:
         build-args: variant=host-apis
         context: bats/tests/extensions/testdata

.github/workflows/release-merge-to-main.yaml

@@ -31,7 +31,7 @@ jobs:
     permissions:
       contents: write
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
     - uses: ./.github/actions/yarn-install
     - run: node scripts/ts-wrapper.js scripts/release-merge-to-main.ts
       env:

.github/workflows/scorecard.yml

@@ -60,6 +60,6 @@ jobs:
     # Upload the results to GitHub's code scanning dashboard (optional).
     # Commenting out will disable upload of results to your repo's Code Scanning dashboard
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@v3
+      uses: github/codeql-action/upload-sarif@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13
       with:
         sarif_file: results.sarif

.github/workflows/screenshot.yaml

@@ -65,7 +65,7 @@ jobs:
       env:
         EXEC_COMMAND: # On Windows, we don't need any commands.
 
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       with:
         persist-credentials: false
     - uses: ./.github/actions/yarn-install
@@ -81,13 +81,13 @@ jobs:
         RD_ENV_SCREENSHOT_SLEEP: 5000
         RD_LOGS_DIR: logs
     - name: Upload screenshots
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
       with:
         name: screenshots-${{ matrix.platform }}.zip
         path: screenshots/output/
         if-no-files-found: error
     - name: Upload logs
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
       if: always()
       with:
         name: logs-${{ matrix.platform }}.zip
@@ -103,7 +103,7 @@ jobs:
       cancel-in-progress: true
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/download-artifact@v4
+    - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
       with:
         pattern: screenshots-*.zip
         merge-multiple: true
@@ -140,7 +140,7 @@ jobs:
         gm composite -gravity center in/darwin/light/preferences/*_kubernetes.png in/darwin/light/main/*_General.png darwin.png
         gm composite -gravity center in/win32/light/preferences/*_kubernetes.png in/win32/light/main/*_General.png win32.png
         gm convert darwin.png win32.png +append out/getting-started/introduction_preferences_tabKubernetes.png
-    - uses: actions/upload-artifact@v4
+    - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
       with:
         name: screenshots.zip
         path: out