[CI] Pin all actions

.github/workflows/email-check.yaml

@@ -40,7 +40,7 @@ jobs:
           [{"body" : "$COMMENT"}]
           EOF
 
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f #v6.0.0
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         if: always()
         with:
           name: workflow-args

.github/workflows/pr-code-format.yml

@@ -59,7 +59,7 @@ jobs:
           clangformat: 20.1.8
 
       - name: Setup Python env
-        uses: actions/setup-python@v6.2.0
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.11'
           cache: 'pip'
@@ -83,7 +83,7 @@ jobs:
             --end-rev HEAD \
             --changed-files "$CHANGED_FILES"
 
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f #v6.0.0
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         if: always()
         with:
           name: workflow-args

.github/workflows/scorecard.yml

@@ -49,7 +49,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: SARIF file
           path: results.sarif

.github/workflows/sycl-detect-changes.yml

@@ -94,11 +94,11 @@
 
       - name: Set output
         id: result
-        uses: actions/github-script@v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
           script: |
             if (${{steps.changed_files.outputs.changed_file_cnt}} < 500) {
               return '${{ steps.changes.outputs.changes }}';
             }
             // Treat everything as changed for huge PRs.
             return ["llvm", "llvm_spirv", "clang", "sycl_jit", "xptifw", "libclc", "sycl", "ci", "esimd", "ur", "ur_cuda_adapter", "ur_offload_adapter"];

.github/workflows/sycl-docs.yml

@@ -69,9 +69,9 @@ jobs:
         EOF
     # Upload the generated docs as an artifact and deploy to GitHub Pages.
     - name: Upload artifact
-      uses: actions/upload-pages-artifact@v4
+      uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0
       with:
         path: ./install_docs
     - name: Deploy to GitHub Pages
       if: ${{ github.event_name == 'push' || inputs.update_gh_pages == 'true' }}
-      uses: actions/deploy-pages@v4
+      uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0

.github/workflows/sycl-hardening-check.yml

@@ -28,7 +28,7 @@ jobs:
         sudo apt install -y devscripts
 
     - name: Download SYCL toolchain
-      uses: actions/download-artifact@v7
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       with:
         name: ${{ inputs.sycl_linux_artifact }}
 
@@ -47,7 +47,7 @@ jobs:
             hardening-check "$file" | tee -a "./hardening-check.txt"
         done
 
-    - uses: actions/upload-artifact@v6
+    - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
       with:
         name: hardening-check
         path: hardening-check.txt
@@ -63,7 +63,7 @@ jobs:
         unzip "windows.x64.Release.zip" -d winchecksec
 
     - name: Download SYCL toolchain
-      uses: actions/download-artifact@v7
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       with:
         name: ${{ inputs.sycl_windows_artifact }}
 
@@ -84,7 +84,7 @@ jobs:
             ./winchecksec/build/Release/winchecksec.exe "$file" | tee -a "./winchecksec.txt"
         done
 
-    - uses: actions/upload-artifact@v6
+    - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
       with:
         name: winchecksec
         path: winchecksec.txt

.github/workflows/sycl-linux-build.yml

@@ -279,7 +279,7 @@ jobs:
       run: tar -I '${{ steps.artifact_info.outputs.COMPRESS }}' -cf ${{ steps.artifact_info.outputs.ARCHIVE_NAME }} -C $GITHUB_WORKSPACE/toolchain .
     - name: Upload toolchain release
       if: ${{ !cancelled() && steps.build.conclusion == 'success' && inputs.release_toolchain_artifact != '' }}
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
       with:
         name: ${{ inputs.release_toolchain_artifact }}
         path: ${{ steps.artifact_info.outputs.ARCHIVE_NAME }}
@@ -302,7 +302,7 @@ jobs:
       run: tar -I '${{ steps.artifact_info.outputs.COMPRESS }}' -cf ${{ steps.artifact_info.outputs.ARCHIVE_NAME }} -C $GITHUB_WORKSPACE/toolchain .
     - name: Upload toolchain
       if: ${{ !cancelled() && steps.build.conclusion == 'success' }}
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
       with:
         name: ${{ inputs.toolchain_artifact }}
         path: ${{ steps.artifact_info.outputs.ARCHIVE_NAME }}

.github/workflows/sycl-linux-precommit-aws.yml

@@ -26,7 +26,7 @@
       checks: write
       statuses: write
     steps:
-      - uses: actions/github-script@v8
+      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
           script: |
             const sha = context.payload.workflow_run.head_sha
@@ -91,7 +91,7 @@
       checks: write
       statuses: write
     steps:
-      - uses: actions/github-script@v8
+      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
           script: |
             const sha = context.payload.workflow_run.head_sha
@@ -103,7 +103,7 @@
               owner: context.repo.owner,
               repo: context.repo.repo,
               sha: sha,
               state: '${{ needs.e2e-cuda.result }}',
               target_url: this_run_url,
               description: 'SYCL E2E on AWS CUDA',
               context: 'SYCL E2E on AWS CUDA',

.github/workflows/sycl-linux-precommit.yml

@@ -85,7 +85,7 @@ jobs:
 
       # download build artefact
       - name: Download toolchain
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: sycl_linux_default
       - name: Extract SYCL toolchain

.github/workflows/sycl-linux-run-tests.yml

@@ -269,16 +269,16 @@
       uses: ./devops/actions/setup-vulkan/linux
     - name: Download SYCL toolchain
       if: inputs.toolchain_artifact != '' && github.event_name != 'workflow_run'
-      uses: actions/download-artifact@v7
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       with:
         name: ${{ inputs.toolchain_artifact }}
     - name: Download SYCL toolchain [workflow_run]
       # NOTE: This is for `sycl-linux-precommit-aws.yml`.
       if: inputs.toolchain_artifact != '' && github.event_name == 'workflow_run'
-      uses: actions/github-script@v8
+      uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
       with:
         script: |
           const name = '${{ inputs.toolchain_artifact }}'
           let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
              owner: context.repo.owner,
              repo: context.repo.repo,

.github/workflows/sycl-macos-build-and-test.yml

@@ -35,7 +35,7 @@ jobs:
       with:
         ref: ${{ inputs.build_ref }}
         path: src
-    - uses: actions/cache@v5
+    - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       with:
         path: build_cache_${{ inputs.build_cache_suffix }}
         key: sycl-${{ runner.os }}-${{ inputs.build_cache_suffix }}-${{ github.sha }}

.github/workflows/sycl-nightly.yml

@@ -417,10 +417,10 @@ jobs:
       contents: write
       id-token: write
     steps:
-    - uses: actions/download-artifact@v7
+    - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       with:
         name: sycl_linux_default
-    - uses: actions/download-artifact@v7
+    - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       with:
         name: sycl_windows_default
     - name: Sign with sigstore/cosign
@@ -458,7 +458,7 @@ jobs:
     needs: ubuntu2204_build
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-    - uses: actions/download-artifact@v7
+    - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       with:
         name: sycl_linux_default
         path: devops/

.github/workflows/sycl-prebuilt-e2e-container.yml

@@ -63,12 +63,12 @@ jobs:
           tar -I 'zstd -9' -cf devops/e2e_sources.tar.zst -C ./llvm .
 
       - name: Download toolchain
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: toolchain
           path: devops/
       - name: Download E2E binaries
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: e2e_bin
           path: devops/

.github/workflows/sycl-stale-issues.yml

@@ -14,7 +14,7 @@ jobs:
       pull-requests: write  # for actions/stale to close stale PRs
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/stale@v10
+    - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
       with:
         stale-issue-message: 'This issue is stale because it has been open 180 days with no activity. Remove stale label or comment or this will be automatically closed in 30 days.'
         close-issue-message: 'This issue was closed because it has been stalled for 30 days with no activity. Please, re-open if the issue still exists.'

.github/workflows/sycl-windows-build.yml

@@ -118,7 +118,7 @@ jobs:
       with:
         sparse-checkout: |
           devops/actions
-    - uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756
+    - uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0
       with:
         arch: amd64
     - name: Setup oneAPI env
@@ -197,7 +197,7 @@ jobs:
         diff -Naur src/sycl/test/abi/sycl_symbols_windows.dump build/new_sycl_symbols_windows.dump || true
     - name: Upload new ABI symbols
       if: ${{ !cancelled() && contains(inputs.changes, 'sycl') }}
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
       with:
         name: sycl_windows_abi_symbols
         path: build/new_sycl_symbols_windows.dump
@@ -212,7 +212,7 @@ jobs:
       run: tar -czf ${{ inputs.toolchain_artifact_filename }} -C install .
     - name: Upload toolchain release
       if: ${{ !cancelled() && steps.build.conclusion == 'success' && inputs.release_toolchain_artifact != '' }}
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
       with:
         name: ${{ inputs.release_toolchain_artifact }}
         path: ${{ inputs.toolchain_artifact_filename }}
@@ -231,7 +231,7 @@ jobs:
         tar -czf ${{ inputs.toolchain_artifact_filename }} -C install .
     - name: Upload toolchain
       if: ${{ !cancelled() && steps.build.conclusion == 'success' }}
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
       with:
         name: sycl_windows_default
         path: ${{ inputs.toolchain_artifact_filename }}

.github/workflows/sycl-windows-run-tests.yml

@@ -99,7 +99,7 @@ jobs:
         sparse-checkout: |
           devops/actions
           sycl/cts_exclude_filter
-    - uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756
+    - uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0
       with:
         arch: amd64
     - name: Setup oneAPI env
@@ -121,7 +121,7 @@ jobs:
           llvm/utils/lit
           sycl/test-e2e          
     - name: Download compiler toolchain
-      uses: actions/download-artifact@v7
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       with:
         name: ${{ inputs.toolchain_artifact }}
     - name: Extract SYCL toolchain

devops/actions/run-tests/benchmark/action.yml

@@ -414,7 +414,7 @@ runs:
       done
   - name: Archive benchmark results
     if: always()
-    uses: actions/upload-artifact@v4
+    uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
     with:
       name: Benchmark run ${{ github.run_id }} (${{ env.SAVE_NAME }})
       path: ./cached_changes

devops/actions/run-tests/linux/cts/action.yml

@@ -75,15 +75,15 @@ runs:
 
   - name: Upload SYCL-CTS binaries
     if: ${{ !cancelled() && inputs.testing_mode == 'build-only' }}
-    uses: actions/upload-artifact@v4
+    uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
     with:
       name: ${{ inputs.binaries_artifact }}
       path: sycl_cts_bin.tar.zst
       retention-days: ${{ inputs.retention-days }}
 
   - name: Download SYCL-CTS binaries
     if: inputs.testing_mode == 'run-only'
-    uses: actions/download-artifact@v4
+    uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
     with:
       name: ${{ inputs.binaries_artifact }}
 

devops/actions/run-tests/linux/e2e/action.yml

@@ -34,7 +34,7 @@ runs:
         sycl/test-e2e
   - name: Download E2E Binaries
     if: ${{ inputs.testing_mode == 'run-only' && inputs.binaries_artifact != 'in-container' }}
-    uses: actions/download-artifact@v4
+    uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
     with:
       name: ${{ inputs.binaries_artifact }}
   - name: Extract E2E Binaries
@@ -101,7 +101,7 @@ runs:
       tar -I 'zstd -9' -cf e2e_binaries.tar.zst -C ./build-e2e .
   - name: Upload E2E binaries
     if: ${{ !cancelled() && inputs.binaries_artifact != '' && inputs.testing_mode != 'run-only' }}
-    uses: actions/upload-artifact@v4
+    uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
     with:
       name: ${{ inputs.binaries_artifact }}
       path: e2e_binaries.tar.zst

devops/actions/run-tests/windows/cts/action.yml

@@ -76,15 +76,15 @@ runs:
 
   - name: Upload SYCL-CTS binaries
     if:  ${{ !cancelled() && inputs.testing_mode == 'build-only' }}
-    uses: actions/upload-artifact@v4
+    uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
     with:
       name: ${{ inputs.binaries_artifact }}
       path: sycl_cts_bin.tar.zst
       retention-days: ${{ inputs.retention-days }}
 
   - name: Download SYCL-CTS binaries
     if: inputs.testing_mode == 'run-only'
-    uses: actions/download-artifact@v4
+    uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
     with:
       name: ${{ inputs.binaries_artifact }}
 

devops/actions/run-tests/windows/e2e/action.yml

@@ -35,7 +35,7 @@ runs:
         sycl/test-e2e
   - name: Download E2E Binaries
     if: inputs.testing_mode == 'run-only'
-    uses: actions/download-artifact@v4
+    uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
     with:
       name: ${{ inputs.binaries_artifact }}
   - name: Extract E2E Binaries
@@ -116,7 +116,7 @@ runs:
       tar -czf e2e_bin.tar.gz -C build-e2e .
   - name: Upload E2E test binaries
     if: ${{ !cancelled() && inputs.binaries_artifact != '' && inputs.testing_mode != 'run-only' }}
-    uses: actions/upload-artifact@v4
+    uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
     with:
       name: ${{ inputs.binaries_artifact }}
       path: e2e_bin.tar.gz