[Security] Pin GitHub Actions to a full-length commit SHA

[juliendoutre]

Pin GitHub Actions to SHA hashes

This automated PR pins third-party GitHub Actions references from mutable tag versions (e.g., @v4) to their corresponding SHA hashes (e.g., @abc123...). The original tag is preserved as a comment for readability. Your workflows will work exactly the same way. Internal actions (under the DataDog organization) are not pinned.

Read https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions for more details and info on how to configure this for entire repos.

Why pin GitHub Actions?

Git tags are mutable: they can be moved to point to different commits at any time. A compromised or malicious action maintainer could update a tag to inject arbitrary code into your CI workflows (see the tj-actions incident). Pinning to SHA hashes ensures you always run the exact code you reviewed, protecting your repository from supply chain attacks such as the tj-actions incident.

What if something breaks?

If a pinned action doesn't work for your use case, you can push a commit directly to this branch to fix it. As a last resort, reach out to #sdlc-security on Slack.

Set up Dependabot or Renovate for automatic updates

Once actions are pinned to SHA hashes, you should configure Dependabot or Renovate to receive weekly update PRs when new versions are available.

In the case of Dependabot, create or update .github/dependabot.yml:

version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      github-actions:
        patterns:
          - "*"
    open-pull-requests-limit: 10

Dependabot will automatically propose PRs that update both the SHA hash and the version comment like in this example.

---

This PR was automatically generated by the GitHub Actions Pinning tool, owned by #sdlc-security.

[yannham]

The description of this PR says:

Internal actions (under the DataDog organization) are not pinned

but this seems to be an internal action? I suppose something choked on the different capitalization...

[juliendoutre]

Yes you're right, the code is case sensitive, I will update it to prevent this to happen again, thank you for flagging 🙇

[watson]

The versions in Quards repo is messed up which is also why I think I left it out when I previously upgraded this action to use commit SHAs. 1e02edbdda803a45537a808ede97866db47756d3 doesn't match up with v1.0.0, but I agree that it's 1e02edbdda803a45537a808ede97866db47756d3 we want though

[juliendoutre]

Good point, the reason why the tool expanded v1 to a full semver v1.0.0 is in case you wanna use dependabot or renovate which only updates the version comments correctly if they are valid semver. Else, they bump the hash but not the comment next to it that they consider being an arbitrary git ref with no specific meaning. Feel free to revert to v1 if you'd rather use it.

[watson]

The reason why I left this one out when I updated all the other references to use the commit hash in a previous PR, was because its repository doesn't use semver git tags and several of the published versions to npm doesn't even have associated tags. So I think the best thing to do here is just hardcode the commit SHA like we do here. The v1.0.0 comment is probably going to confuse someone, so I prefer that we leave it out, as it's incorrect. If anything it's more like v1.0.2, but in reality it's not even that.

[juliendoutre]

Sounds good!

[juliendoutre]

Closing the PR as the changes impact two internal actions that were incorrectly flagged and one action with a non valid semver tag that's creating confusion.