Lock all actions to sha commits

aeshub · aeshub · commit 899b9201446e · 2026-04-09T16:11:53.000+02:00
diff --git a/.github/workflows/backend_lint_and_test.yml b/.github/workflows/backend_lint_and_test.yml
@@ -19,10 +19,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6
 
       - name: Set up .NET
-        uses: actions/setup-dotnet@v4
+        uses: actions/setup-dotnet@vc2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 #v5
         with:
           dotnet-version: "10.0.x"
       - name: Build project and dependencies
@@ -32,10 +32,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6
 
       - name: Set up .NET
-        uses: actions/setup-dotnet@v4
+        uses: actions/setup-dotnet@vc2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 #v5
         with:
           dotnet-version: "10.0.x"
 
@@ -48,10 +48,10 @@ jobs:
   check_formatting:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6
 
       - name: Setup .NET Core
-        uses: actions/setup-dotnet@v4
+        uses: actions/setup-dotnet@vc2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 #v5
         with:
           dotnet-version: "10.0.x"
 
diff --git a/.github/workflows/frontend_lint_and_test.yml b/.github/workflows/frontend_lint_and_test.yml
@@ -23,9 +23,9 @@ jobs:
         # See supported Node.js release schedule at https://nodejs.org/en/about/releases/
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f #v6
         with:
           node-version: ${{ matrix.node-version }}
           cache: "npm"
@@ -50,7 +50,7 @@ jobs:
         working-directory: ./frontend
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6
 
       - name: Run Prettier
         run: npm run prettier_check
@@ -61,7 +61,7 @@ jobs:
       run:
         working-directory: ./frontend
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6
       - name: Install modules
         run: npm ci
       - name: Run ESLint
@@ -73,7 +73,7 @@ jobs:
       run:
         working-directory: ./frontend
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6
       - name: Install modules
         run: npm ci
       - name: Run Unused Exports Check
diff --git a/.github/workflows/notifyMigrationChanges.yml b/.github/workflows/notifyMigrationChanges.yml
@@ -19,18 +19,18 @@ jobs:
       issues: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6
 
       - name: Check for previous comment
         id: notify_comment_search
-        uses: peter-evans/find-comment@v3
+        uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad #v4
         with:
           issue-number: ${{ github.event.number }}
           body-includes: ${{ env.message }}
 
       - name: Add comment if no comment exists
         if: ${{ !steps.notify_comment_search.outputs.comment-body }}
-        uses: peter-evans/create-or-update-comment@v4
+        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 #v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           issue-number: ${{ github.event.number }}
diff --git a/.github/workflows/notifyPossibleMigrationUpdate.yml b/.github/workflows/notifyPossibleMigrationUpdate.yml
@@ -20,19 +20,19 @@ jobs:
       issues: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6
 
       - name: Get changed files in the migrations folder
         id: changed_files
-        uses: tj-actions/changed-files@v46.0.5
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 #v47
         with:
           files: backend/api/Migrations/**
           sha: ${{ github.event.pull_request.head.sha }}
 
       - name: If no migrations, check for previous comment
         if: ${{ steps.changed_files.outputs.any_changed != 'true' }}
         id: notify_comment_search
-        uses: peter-evans/find-comment@v3
+        uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad #v4
         with:
           issue-number: ${{ github.event.number }}
           body-includes: ${{ env.message }}
@@ -41,7 +41,7 @@ jobs:
         if: |
           !steps.notify_comment_search.outputs.comment-body &&
           steps.changed_files.outputs.any_changed != 'true'
-        uses: peter-evans/create-or-update-comment@v4
+        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 #v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           issue-number: ${{ github.event.number }}
diff --git a/.github/workflows/promote_to_production.yml b/.github/workflows/promote_to_production.yml
@@ -29,7 +29,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout infrastructure
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6
         with:
           ref: main
           repository: equinor/robotics-infrastructure
diff --git a/.github/workflows/publish_component.yml b/.github/workflows/publish_component.yml
@@ -34,23 +34,23 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6
 
       - name: Log in to the Github Container registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 #v4
         with:
           registry: ${{ inputs.Registry }}
           username: ${{ secrets.RegistryUsername }}
           password: ${{ secrets.RegistryPassword }}
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf #v6
         with:
           images: ${{ inputs.Registry }}/${{ inputs.ImageName }}-${{ inputs.ComponentName }}
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 #v7
         with:
           context: ./${{ inputs.ComponentName }}
           push: true
diff --git a/.github/workflows/runMigrations.yml b/.github/workflows/runMigrations.yml
@@ -32,7 +32,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6
         with:
           ref: ${{ inputs.CheckoutRef }}
 
@@ -50,13 +50,13 @@ jobs:
 
       - name: Checkout Pull Request by SHA
         if: ${{ inputs.PullRequestCheckout }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6
         with:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ steps.pr_head_sha.outputs.pr_head_sha }}
 
       - name: Set up .NET
-        uses: actions/setup-dotnet@v4
+        uses: actions/setup-dotnet@vc2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 #v5
         with:
           dotnet-version: "10.0.x"
 
diff --git a/.github/workflows/scan_with_trufflehog.yml b/.github/workflows/scan_with_trufflehog.yml
@@ -15,13 +15,13 @@ jobs:
         shell: bash
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6
         with:
           fetch-depth: 0
 
       - name: TruffleHog OSS
         id: trufflehog
-        uses: trufflesecurity/trufflehog@v3.90.3
+        uses: trufflesecurity/trufflehog@6c64db94d5b2e09d7e0948fb6bd3166cc6fffbc7 #v3
         with:
           path: ./
           base: "${{ github.event.repository.default_branch }}"
diff --git a/.github/workflows/trivy-config.yml b/.github/workflows/trivy-config.yml
@@ -22,7 +22,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6
         with:
           persist-credentials: false
 
@@ -37,7 +37,7 @@ jobs:
           exit-code: '0'
 
       - name: Upload scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 #v4
         with:
           sarif_file: 'trivy-results-iac.sarif'
 
diff --git a/.github/workflows/updateDatabase.yml b/.github/workflows/updateDatabase.yml
@@ -28,7 +28,7 @@ jobs:
       # Using the post request directly to be able to remove the reaction later (Need reaction id for this)
       # This allows the reaction to act as a status for the function.
       - name: React to comment
-        uses: octokit/request-action@v2.x
+        uses: octokit/request-action@b91aabaa861c777dcdb14e2387e30eddf04619ae #v3
         id: eyes
         with:
           route: POST /repos/${{ github.repository }}/issues/comments/${{ github.event.comment.id }}/reactions
@@ -46,7 +46,7 @@ jobs:
       review_approved: ${{ contains(fromJson(steps.get.outputs.data).*.state, 'APPROVED') }}
       eyes_id: ${{ needs.base_check.outputs.eyes_id }}
     steps:
-      - uses: octokit/request-action@v2.x
+      - uses: octokit/request-action@b91aabaa861c777dcdb14e2387e30eddf04619ae #v3
         id: get
         with: # Search in PR's for this ID with review approved.
           # If no results, the PR is not approved
@@ -63,20 +63,20 @@ jobs:
       issues: write
     steps:
       - name: Remove 'eyes' reaction
-        uses: octokit/request-action@v2.x
+        uses: octokit/request-action@b91aabaa861c777dcdb14e2387e30eddf04619ae #v3
         with:
           route: DELETE /repos/${{ github.repository }}/issues/comments/${{ github.event.comment.id }}/reactions/${{ needs.get_review_state.outputs.eyes_id }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: React to comment
-        uses: peter-evans/create-or-update-comment@v4
+        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 #v5
         with:
           comment-id: ${{ github.event.comment.id }}
           reactions: confused, -1
 
       - name: Add comment
-        uses: peter-evans/create-or-update-comment@v4
+        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 #v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           issue-number: ${{ github.event.issue.number }}
@@ -92,20 +92,20 @@ jobs:
       issues: write
     steps:
       - name: Remove 'eyes' reaction
-        uses: octokit/request-action@v2.x
+        uses: octokit/request-action@b91aabaa861c777dcdb14e2387e30eddf04619ae #v3
         with:
           route: DELETE /repos/${{ github.repository }}/issues/comments/${{ github.event.comment.id }}/reactions/${{ needs.get_review_state.outputs.eyes_id }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: React to comment
-        uses: peter-evans/create-or-update-comment@v4
+        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 #v5
         with:
           comment-id: ${{ github.event.comment.id }}
           reactions: rocket, +1
 
       - name: Add comment
-        uses: peter-evans/create-or-update-comment@v4
+        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 #v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           issue-number: ${{ github.event.issue.number }}
@@ -133,7 +133,7 @@ jobs:
       issues: write
     steps:
       - name: Add comment
-        uses: peter-evans/create-or-update-comment@v4
+        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 #v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           issue-number: ${{ github.event.issue.number }}
@@ -149,7 +149,7 @@ jobs:
       issues: write
     steps:
       - name: Add comment
-        uses: peter-evans/create-or-update-comment@v4
+        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 #v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           issue-number: ${{ github.event.issue.number }}
diff --git a/.github/workflows/update_aurora_deployment.yml b/.github/workflows/update_aurora_deployment.yml
@@ -36,7 +36,7 @@ jobs:
       NAME: ${{ inputs.AuthorName }}
     steps:
       - name: Checkout infrastructure
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6
         with:
           ref: main
           repository: equinor/robotics-infrastructure
diff --git a/.github/workflows/verifyMigrations.yml b/.github/workflows/verifyMigrations.yml
@@ -16,19 +16,19 @@ jobs:
     if: ${{ github.event_name == 'pull_request_target' }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6
 
       - name: Get changed files in the migrations folder
         id: changed-files-specific
-        uses: tj-actions/changed-files@v46.0.5
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 #v47
         with:
           files: backend/api/Migrations/**
           sha: ${{ github.event.pull_request.head.sha }}
 
       - name: If files changed, check for database success
         if: ${{ steps.changed-files-specific.outputs.any_changed == 'true' }}
         id: database_comment_search
-        uses: peter-evans/find-comment@v3
+        uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad #v4
         with:
           issue-number: ${{ github.event.number }}
           body-includes: ${{ env.success_message }}
