[StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <[email protected]>

.github/workflows/blobstore_checks.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
       - name: Go code format with gofumpt
         run: |
@@ -29,7 +29,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
       - name: run golangci-lint
         run: |

.github/workflows/ci.yml

@@ -30,11 +30,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
       - name: Find changed files
         id: changed-files
-        uses: tj-actions/changed-files@v37
+        uses: tj-actions/changed-files@87697c0dca7dd44e37a2b79a79489332556ff1f3 # v37.6.0
         with:
           files: |
             .github/**
@@ -54,19 +54,19 @@ jobs:
 
       - name: Upload codecov
         if: steps.changed-files.outputs.only_changed != 'true'
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
         with:
           files: ./coverage.txt
 
   ci-test-s3:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
       - name: Find changed files
         id: changed-files
-        uses: tj-actions/changed-files@v37
+        uses: tj-actions/changed-files@87697c0dca7dd44e37a2b79a79489332556ff1f3 # v37.6.0
         with:
           files: |
             .github/**
@@ -88,7 +88,7 @@ jobs:
 
       - name: Upload docker_data.tar.gz
         if: ${{ always() && steps.changed-files.outputs.only_changed != 'true' }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: docker_data
           path: docker/docker_data.tar.gz

.github/workflows/codeql.yml

@@ -20,6 +20,9 @@ on:
   schedule:
     - cron: '10 9 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -46,11 +49,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@a09933a12a80f87b87005513f0abb1494c27a716 # v2.21.4
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -64,7 +67,7 @@ jobs:
     # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@a09933a12a80f87b87005513f0abb1494c27a716 # v2.21.4
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -77,6 +80,6 @@ jobs:
     #     ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@a09933a12a80f87b87005513f0abb1494c27a716 # v2.21.4
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/issue_inactive.yml

@@ -15,7 +15,7 @@ jobs:
     if: false # disable
     steps:
       - name: check-inactive-one-week
-        uses: actions-cool/issues-helper@v3
+        uses: actions-cool/issues-helper@25379ae1ea683ac484497214db131ab8f003a52b # v3.5.1
         with:
           actions: 'check-inactive'
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -24,7 +24,7 @@ jobs:
           exclude-labels: 'inactive-one-month,inactive-three-month,inactive-one-year,inactive-two-year'
 
       - name: check-inactive-one-month
-        uses: actions-cool/issues-helper@v3
+        uses: actions-cool/issues-helper@25379ae1ea683ac484497214db131ab8f003a52b # v3.5.1
         with:
           actions: 'check-inactive'
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -33,7 +33,7 @@ jobs:
           inactive-label: 'inactive-one-month'
 
       - name: check-inactive-three-month
-        uses: actions-cool/issues-helper@v3
+        uses: actions-cool/issues-helper@25379ae1ea683ac484497214db131ab8f003a52b # v3.5.1
         with:
           actions: 'check-inactive'
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -42,7 +42,7 @@ jobs:
           inactive-label: 'inactive-three-month'
 
       - name: check-inactive-one-year
-        uses: actions-cool/issues-helper@v3
+        uses: actions-cool/issues-helper@25379ae1ea683ac484497214db131ab8f003a52b # v3.5.1
         with:
           actions: 'check-inactive'
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -51,7 +51,7 @@ jobs:
           inactive-label: 'inactive-one-year'
 
       - name: check-inactive-two-year
-        uses: actions-cool/issues-helper@v3
+        uses: actions-cool/issues-helper@25379ae1ea683ac484497214db131ab8f003a52b # v3.5.1
         with:
           actions: 'check-inactive'
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -63,7 +63,7 @@ jobs:
       # remove repetitive labels
       - name: remove-inactive-two-year
         if: github.event.label.name == 'inactive-two-year'
-        uses: actions-cool/issues-helper@v3
+        uses: actions-cool/issues-helper@25379ae1ea683ac484497214db131ab8f003a52b # v3.5.1
         with:
           actions: 'remove-labels'
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -72,7 +72,7 @@ jobs:
 
       - name: remove-inactive-one-year
         if: github.event.label.name == 'inactive-one-year'
-        uses: actions-cool/issues-helper@v3
+        uses: actions-cool/issues-helper@25379ae1ea683ac484497214db131ab8f003a52b # v3.5.1
         with:
           actions: 'remove-labels'
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -81,7 +81,7 @@ jobs:
 
       - name: remove-inactive-three-month
         if: github.event.label.name == 'inactive-three-month'
-        uses: actions-cool/issues-helper@v3
+        uses: actions-cool/issues-helper@25379ae1ea683ac484497214db131ab8f003a52b # v3.5.1
         with:
           actions: 'remove-labels'
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -90,7 +90,7 @@ jobs:
 
       - name: remove-inactive-one-month
         if: github.event.label.name == 'inactive-one-month'
-        uses: actions-cool/issues-helper@v3
+        uses: actions-cool/issues-helper@25379ae1ea683ac484497214db131ab8f003a52b # v3.5.1
         with:
           actions: 'remove-labels'
           token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/issue_similarity.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: analysis
-        uses: actions-cool/issues-similarity-analysis@v1
+        uses: actions-cool/issues-similarity-analysis@8f46978e3e8b79d736997a225c95d27d9029f294 # v1.3.1
         with:
           filter-threshold: 0.6
           comment-title: '### See'

.github/workflows/release_test.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Release and run ltp tests
         run: |
           echo "disable release ci checks"