Pin github actions to commit sha

[gopidesupavan]

Which issue does this PR close?

• Closes #.

Rationale for this change

What changes are included in this PR?

Change is pin all the github actions, it is more secure way to use github actions and soon ASF infra will enforce to use commit sha for the actions.

More info can be found here, few actions expire soon.
https://github.com/apache/infrastructure-actions/blob/main/actions.yml
https://infra.apache.org/github-actions-policy.html

Are these changes tested?

Are there any user-facing changes?

No

[gopidesupavan]

https://octopin.readthedocs.io/en/latest/ very helpful library to pin actions

[alamb]

Thank you @gopidesupavan

I double checked all the hash values corresponded to the specified versions

I will sleep better at night with this potential attack vector reduced

[gopidesupavan]

Thank you @gopidesupavan

I double checked all the hash values corresponded to the specified versions

I will sleep better at night with this potential attack vector reduced

cool :) happy to help. and on a side note, it would be nice to have zizmor pre-commit setup https://github.com/zizmorcore/zizmor this is really useful it validates how github action workflows, how tokens usage and syntax etc; very powerful. we at Apache Airflow uses https://github.com/apache/airflow/blob/main/.pre-commit-config.yaml#L366.

If your happy i am fine to add this to datafusion , please let me know :)

[alamb]

Thanks @gopidesupavan 🙏

I am somewhat hesitant to add more CI jobs (that need to be maintained) but I suggest we file a ticket to track the idea of adding zizmor

[findepi]

I think it would make sense to add some validation to GH workflows that all 3rd party actions are indeed sha-pinned.
It can be yet another workflow, but it can also be just a Rust test that opens workflow files (yaml) and inspects them. A bit ugly but super powerful.