[AAE-18117] Use SHA for GitHub actions (#9113)

* AAE-18117 - Add pre-checks job * AAE-18117 - Use pinned SHA * AAE-18117 - Update dependabot.yml
2025-07-24 17:32:15 +00:00 · 2023-11-27 10:58:24 +00:00
parent 3cf2ffa7bd
commit 3daecb1b1c
15 changed files with 123 additions and 55 deletions
--- a/.github/workflows/pull-request.yml
+++ b/.github/workflows/pull-request.yml
@@ -94,11 +94,14 @@ env:
  PROXY_HOST_ECM: ${{ secrets.E2E_HOST }}

 jobs:
-  check-package-lock:
+  pre-checks:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Ensure SHA pinned actions
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b35f285b9bb7e80de0967367cee66d3b6d50ceca # v3.0.1

      - name: Check package-lock.json version
        run: |
@@ -113,15 +116,15 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
        with:
         fetch-depth: 0

      - name: Get branch name
-        uses: Alfresco/alfresco-build-tools/.github/actions/get-branch-name@v1.36.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/get-branch-name@7b0536b4e403e95365d83695c9ab3119b885ce36 # v1.36.0

      - name: Save commit message
-        uses: Alfresco/alfresco-build-tools/.github/actions/get-commit-message@v1.36.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/get-commit-message@7b0536b4e403e95365d83695c9ab3119b885ce36 # v1.36.0

      - name: ci:force flag parser
        shell: bash
@@ -136,7 +139,7 @@ jobs:

      - name: Get PR number
        if: ${{ github.event_name != 'schedule' }}
-        uses: kamatama41/get-pr-number-action@5c77b38a1b4974ebf8a9521a689f38a5898eadd6
+        uses: kamatama41/get-pr-number-action@5c77b38a1b4974ebf8a9521a689f38a5898eadd6 # v0.7.0
        id: action
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -193,10 +196,10 @@ jobs:
    timeout-minutes: 30
    name: "Setup"
    runs-on: ubuntu-22.04
-    needs: [check-if-pr-is-approved, check-package-lock]
+    needs: [check-if-pr-is-approved, pre-checks]
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
        with:
          fetch-depth: 0 # Fetch all history for all tags and branches
      - uses: ./.github/actions/setup
@@ -232,7 +235,7 @@ jobs:
            exclude: "insights,core,extensions,content-services,process-services,eslint-plugin-eslint-angular,js-api"
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
        with:
          fetch-depth: 0 # Fetch all history for all tags and branches
      - uses: ./.github/actions/setup
@@ -249,7 +252,7 @@ jobs:
    needs: [setup]
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
        with:
          fetch-depth: 0 # Fetch all history for all tags and branches
      - uses: ./.github/actions/setup
@@ -264,7 +267,7 @@ jobs:
    needs: [setup]
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
        with:
          fetch-depth: 0 # Fetch all history for all tags and branches
      - uses: ./.github/actions/setup
@@ -281,7 +284,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
        with:
          fetch-depth: 0 # Fetch all history for all
      - uses: ./.github/actions/setup
@@ -424,7 +427,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
        with:
          fetch-depth: 0 # Fetch all history for all
      - uses: ./.github/actions/setup
@@ -454,12 +457,12 @@ jobs:
    steps:
      - id: checkoutRepo
        name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
        with:
          fetch-depth: 1
      - name: PR contains forbidden labels
        id: pr-forbidden
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
        with:
          script: |
            const issueHasLabels = require('./scripts/github/update/check-issue-has-label.js');
@@ -479,9 +482,9 @@ jobs:
    if: ${{ always() }}
    runs-on: ubuntu-latest
    name: Final Results
-    needs: [check-if-pr-is-approved, check-package-lock, setup, unit-tests, lint, build-libs, e2e, e2e-storybook]
+    needs: [check-if-pr-is-approved, pre-checks, setup, unit-tests, lint, build-libs, e2e, e2e-storybook]
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
      - name: Log e2e result
        id: e2e-result
        if: ${{ github.event_name == 'schedule' }}
@@ -495,7 +498,7 @@ jobs:
        uses: ./.github/actions/slack-group-area
        with:
          affected: ${{ steps.e2e-result.outputs.result }}
-      - uses: slackapi/slack-github-action@v1.23.0
+      - uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 # v1.23.0
        name: Nofify QA failure
        if: ${{ github.event_name == 'schedule' && contains(needs.*.result, 'failure') }}
        env: