[StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <[email protected]>

Author: step-security-bot

.github/workflows/anchore-analysis.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout the code
-      uses: actions/checkout@v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Pull docker images 
       run: | 
         docker pull lfeoperatorfabric/of-cards-consultation-service:SNAPSHOT
@@ -25,101 +25,101 @@ jobs:
         docker pull lfeoperatorfabric/of-supervisor:SNAPSHOT
         docker pull lfeoperatorfabric/of-web-ui:SNAPSHOT
     - name: Analyse card consultation 
-      uses: anchore/scan-action@v3
+      uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3.6.4
       with:
         image: "lfeoperatorfabric/of-cards-consultation-service:SNAPSHOT"
         acs-report-enable: true
         fail-build: false
     - name: Upload Anchore Scan Report for cards-consultation
-      uses: github/codeql-action/upload-sarif@v3
+      uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
       with:
         sarif_file: results.sarif
         category: consultation
     - name: Analyse card publication 
-      uses: anchore/scan-action@v3
+      uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3.6.4
       with:
         image: "lfeoperatorfabric/of-cards-publication-service:SNAPSHOT"
         acs-report-enable: true
         fail-build: false
     - name: Upload Anchore Scan Report for cards-publication
-      uses: github/codeql-action/upload-sarif@v3
+      uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
       with:
         sarif_file: results.sarif
         category: publication
     - name: Analyse users 
-      uses: anchore/scan-action@v3
+      uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3.6.4
       with:
         image: "lfeoperatorfabric/of-users-service:SNAPSHOT"
         acs-report-enable: true
         fail-build: false
     - name: Upload Anchore Scan Report for users
-      uses: github/codeql-action/upload-sarif@v3
+      uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
       with:
         sarif_file: results.sarif
         category: users
     - name: Analyse businessConfig 
-      uses: anchore/scan-action@v3
+      uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3.6.4
       with:
         image: "lfeoperatorfabric/of-businessconfig-service:SNAPSHOT"
         acs-report-enable: true
         fail-build: false
     - name: Upload Anchore Scan Report for businessConfig
-      uses: github/codeql-action/upload-sarif@v3
+      uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
       with:
         sarif_file: results.sarif
         category: businessconfig
     - name: Analyse external-devices 
-      uses: anchore/scan-action@v3
+      uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3.6.4
       with:
         image: "lfeoperatorfabric/of-external-devices-service:SNAPSHOT"
         acs-report-enable: true
         fail-build: false
     - name: Upload Anchore Scan Report for external devices
-      uses: github/codeql-action/upload-sarif@v3
+      uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
       with:
         sarif_file: results.sarif
         category: external-devices
     - name: Analyse web-ui
-      uses: anchore/scan-action@v3
+      uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3.6.4
       with:
         image: "lfeoperatorfabric/of-web-ui:SNAPSHOT"
         acs-report-enable: true
         fail-build: false
     - name: Upload Anchore Scan Report for web-ui
-      uses: github/codeql-action/upload-sarif@v3
+      uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
       with:
         sarif_file: results.sarif
         category: web-ui
     - name: Analyse external-diffusion
-      uses: anchore/scan-action@v3
+      uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3.6.4
       with:
         image: "lfeoperatorfabric/of-cards-external-diffusion-service:SNAPSHOT"
         acs-report-enable: true
         fail-build: false
     - name: Upload Anchore Scan Report for external-diffusion
-      uses: github/codeql-action/upload-sarif@v3
+      uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
       with:
         sarif_file: results.sarif
         category: external-diffusion
     - name: Analyse cards reminder 
-      uses: anchore/scan-action@v3
+      uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3.6.4
       with:
         image: "lfeoperatorfabric/of-cards-reminder:SNAPSHOT"
         acs-report-enable: true
         fail-build: false
     - name: Upload Anchore Scan Report for cards-reminder
-      uses: github/codeql-action/upload-sarif@v3
+      uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
       with:
         sarif_file: results.sarif
         category: cards-reminder
     - name: Analyse supervisor 
-      uses: anchore/scan-action@v3
+      uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3.6.4
       with:
         image: "lfeoperatorfabric/of-supervisor:SNAPSHOT"
         acs-report-enable: true
         fail-build: false
     - name: Upload Anchore Scan Report for supervisor
-      uses: github/codeql-action/upload-sarif@v3
+      uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
       with:
         sarif_file: results.sarif
         category: supervisor

.github/workflows/main.yml

@@ -48,7 +48,7 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event.inputs.dockerPush  != 'true' && github.event.inputs.dockerPushLatest  != 'true' &&  github.event.inputs.doc  != 'true' && github.event.inputs.docLatest  != 'true' && github.event_name != 'schedule' && github.ref_name != 'master' }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Job  status
         run: | 
@@ -61,7 +61,7 @@ jobs:
           echo "Opfab Version : ${OF_VERSION}"
           echo "---------------------------"
       - name: Cache Gradle packages
-        uses: actions/cache@v4
+        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
         with:
           path: |
             ~/.gradle/caches
@@ -92,7 +92,7 @@ jobs:
         run: ./CICD/github/launch_cypress_tests.sh ${{ github.event.inputs.cypressTestFiles }}
 
       - name: Upload cypress screenshots and logs 
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         if: failure()
         with:
             name: cypress-screenshots
@@ -104,7 +104,7 @@ jobs:
     environment: publishVersion
     if: ${{ github.event.inputs.dockerPush  == 'true' || github.event.inputs.dockerPushLatest  == 'true'  ||  github.event.inputs.doc  == 'true' || github.event.inputs.docLatest  == 'true' || github.event_name == 'schedule' || github.ref_name == 'master' }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Job  status
         run: | 
@@ -117,7 +117,7 @@ jobs:
           echo "Opfab Version : ${OF_VERSION}"
           echo "---------------------------"
       - name: Cache Gradle packages
-        uses: actions/cache@v4
+        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
         with:
           path: |
             ~/.gradle/caches
@@ -148,7 +148,7 @@ jobs:
         run: ./CICD/github/launch_cypress_tests.sh 
 
       - name: Upload cypress screenshots
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         if: failure()
         with:
             name: cypress-screenshots

.github/workflows/ort_scan.yml

@@ -25,9 +25,9 @@ jobs:
   tortellini:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: tortellini-tools/action@v3
-      - uses: actions/upload-artifact@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: tortellini-tools/action@683836c1762a9e3c5ef5493548dfb15d5a5dec6d # v3
+      - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: tortellini-result
           path: .tortellini/out

.github/workflows/testWithOldMongo.yml

@@ -11,7 +11,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Job  status
         run: | 
@@ -22,7 +22,7 @@ jobs:
           echo "---------------------------"
           
       - name: Cache Gradle packages
-        uses: actions/cache@v4
+        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
         with:
           path: |
             ~/.gradle/caches
@@ -48,7 +48,7 @@ jobs:
         run: ./CICD/github/launch_cypress_tests.sh
 
       - name: Upload cypress screenshots
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         if: failure()
         with:
             name: cypress-screenshots

.github/workflows/verify_copyright.yml

@@ -7,11 +7,11 @@ jobs:
   in_changed_files:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/[email protected]
+        uses: tj-actions/changed-files@800a2825992141ddde1a8bca8ad394cec34d3188 # v42.0.5
 
       - name: Verify copyright headers
         run: ./CICD/github/licenceHeaderCheck.sh ${{ steps.changed-files.outputs.all_changed_files }}