[AAE-18117] Use SHA for GitHub actions (#9113)

* AAE-18117 - Add pre-checks job

* AAE-18117 - Use pinned SHA

* AAE-18117 - Update dependabot.yml

.github/actions/artifact-append/action.yml

@@ -22,13 +22,13 @@ runs:
     - run: echo "Artifact Append"
       shell: bash
     - name: Download artifact
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
       with:
         name: ${{ inputs.artifact-name }}
     - run: ls
       shell: bash
     - name: Append content
-      uses: actions/github-script@v6
+      uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
       env:
         contentFile: ${{ inputs.content }}
         fileName: ${{ inputs.file-name }}
@@ -83,7 +83,7 @@ runs:
             }
           }
     - name: Upload artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
       with:
         name: ${{ inputs.artifact-name }}
         path: ${{ inputs.file-name }}

.github/actions/artifact-extract/action.yml

@@ -24,11 +24,11 @@ runs:
   using: "composite"
 
   steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
     - run: echo "Artifact Extract"
       shell: bash
     - name: Download artifact
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
       with:
         name: ${{ inputs.artifact-name }}
     - id: extract

.github/actions/artifact-initialize/action.yml

@@ -19,14 +19,14 @@ runs:
   using: "composite"
 
   steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
     - name: Create empty artifact
       shell: bash
       run: 
         echo "${{inputs.content}}" > ${{ inputs.file-name }}
 
     - name: Upload artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
       with:
         name: ${{ inputs.artifact-name }}
         path: ${{ inputs.file-name }}

.github/actions/e2e/action.yml

@@ -184,7 +184,7 @@ runs:
     - name: upload artifacts on gh
       id: upload_gh
       if: ${{ steps.determine-affected.outputs.isAffected == 'true' }}
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
       with:
         name: e2e-artifact-output
         path: /home/runner/work/alfresco-ng2-components/alfresco-ng2-components/e2e-output-*

.github/actions/setup/action.yml

@@ -20,18 +20,18 @@ runs:
   using: "composite"
   steps:
       - name: install NPM
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2
         with:
           node-version-file: '.nvmrc'
           cache-dependency-path: package-lock.json
       - name: get latest tag sha
         id: tag-sha
-        uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
+        uses: Alfresco/alfresco-build-tools/.github/actions/git-latest-tag@d3b4d2e2e08dc33a5d1d60138e9e5989a3dd264c # v1.29.0
 # CACHE
       - name: Node Modules cache
         id: node-modules-cache
         if: ${{ inputs.enable-node-modules-cache == 'true' }}
-        uses: actions/cache@v3
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         env:
           cache-name: node-modules-cache
         with:
@@ -43,7 +43,7 @@ runs:
             node_modules-${{ runner.os }}-build-
             node_modules-${{ runner.os }}-
       - name: pip cache
-        uses: actions/cache@v3
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         if: ${{ inputs.enable-cache == 'true' }}
         with:
           path: ~/.cache/pip

.github/actions/slack-group-area/action.yml

@@ -18,7 +18,7 @@ runs:
   steps:
     - name: Append group
       id: group
-      uses: actions/github-script@v6
+      uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
       env:
         affectedLib: ${{ inputs.affected }}
       with:

.github/dependabot.yml

@@ -24,8 +24,73 @@ updates:
       - label: "nrwl Updates"
         packages:
           - "@nrwl/*"
-        version: "widen"    
+        version: "widen"
   ignore:
     - dependency-name: "pdfjs-dist"
     - dependency-name: "@types/*"
     - dependency-name: "typescript"
+
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: "weekly"
+- package-ecosystem: "github-actions"
+  directory: "/.github/actions/artifact-append"
+  schedule:
+    interval: "weekly"
+- package-ecosystem: "github-actions"
+  directory: "/.github/actions/artifact-extract"
+  schedule:
+    interval: "weekly"
+- package-ecosystem: "github-actions"
+  directory: "/.github/actions/artifact-initialize"
+  schedule:
+    interval: "weekly"
+- package-ecosystem: "github-actions"
+  directory: "/.github/actions/before-install"
+  schedule:
+    interval: "weekly"
+- package-ecosystem: "github-actions"
+  directory: "/.github/actions/download-node-modules-and-artifacts"
+  schedule:
+    interval: "weekly"
+- package-ecosystem: "github-actions"
+  directory: "/.github/actions/e2e"
+  schedule:
+    interval: "weekly"
+- package-ecosystem: "github-actions"
+  directory: "/.github/actions/enable-dryrun"
+  schedule:
+    interval: "weekly"
+- package-ecosystem: "github-actions"
+  directory: "/.github/actions/get-latest-tag-sha"
+  schedule:
+    interval: "weekly"
+- package-ecosystem: "github-actions"
+  directory: "/.github/actions/npm-check-bundle"
+  schedule:
+    interval: "weekly"
+- package-ecosystem: "github-actions"
+  directory: "/.github/actions/print-affected-libs"
+  schedule:
+    interval: "weekly"
+- package-ecosystem: "github-actions"
+  directory: "/.github/actions/set-npm-tag"
+  schedule:
+    interval: "weekly"
+- package-ecosystem: "github-actions"
+  directory: "/.github/actions/setup"
+  schedule:
+    interval: "weekly"
+- package-ecosystem: "github-actions"
+  directory: "/.github/actions/setup-chrome"
+  schedule:
+    interval: "weekly"
+- package-ecosystem: "github-actions"
+  directory: "/.github/actions/slack-group-area"
+  schedule:
+    interval: "weekly"
+- package-ecosystem: "github-actions"
+  directory: "/.github/actions/upload-node-modules-and-artifacts"
+  schedule:
+    interval: "weekly"

.github/workflows/codeql-analysis.yml

@@ -22,15 +22,15 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
         fetch-depth: 2
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
       # Override language selection by uncommenting this and choosing your languages
       with:
         languages: javascript
@@ -39,7 +39,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -53,4 +53,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8

.github/workflows/cron-e2e.yml

@@ -73,7 +73,7 @@ jobs:
     runs-on: ubuntu-latest
     name: Initialize artifacts
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - uses: ./.github/actions/artifact-initialize
         with:
           artifact-name: global-e2e-result

.github/workflows/git-tag.yml

@@ -96,13 +96,13 @@ jobs:
       GITHUB_TOKEN: $BOT_GITHUB_TOKEN
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - id: set-dryrun
         uses: ./.github/actions/enable-dryrun
         with:
           dry-run-flag: ${{ inputs.dry-run-flag }}
       - name: install NPM
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2
         with:
           node-version-file: '.nvmrc'
       - name: "Release tag"

.github/workflows/package_dispatch.yml

@@ -9,7 +9,7 @@ jobs:
     if: github.event.registry_package.package_type == 'npm' && github.event.registry_package.name == 'adf-core'
     steps:
       - name: Dispatch event to monorepo
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         with:
           github-token: ${{ secrets.PAT_WRITE_PKG }}
           retries: 3

.github/workflows/pull-request.yml

@@ -94,11 +94,14 @@ env:
   PROXY_HOST_ECM: ${{ secrets.E2E_HOST }}
 
 jobs:
-  check-package-lock:
+  pre-checks:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Ensure SHA pinned actions
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b35f285b9bb7e80de0967367cee66d3b6d50ceca # v3.0.1
 
       - name: Check package-lock.json version
         run: |
@@ -113,15 +116,15 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
          fetch-depth: 0
 
       - name: Get branch name
-        uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
+        uses: Alfresco/alfresco-build-tools/.github/actions/get-branch-name@7b0536b4e403e95365d83695c9ab3119b885ce36 # v1.36.0
 
       - name: Save commit message
-        uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
+        uses: Alfresco/alfresco-build-tools/.github/actions/get-commit-message@7b0536b4e403e95365d83695c9ab3119b885ce36 # v1.36.0
 
       - name: ci:force flag parser
         shell: bash
@@ -136,7 +139,7 @@ jobs:
 
       - name: Get PR number
         if: ${{ github.event_name != 'schedule' }}
-        uses: kamatama41/get-pr-number-action@5c77b38a1b4974ebf8a9521a689f38a5898eadd6
+        uses: kamatama41/get-pr-number-action@5c77b38a1b4974ebf8a9521a689f38a5898eadd6 # v0.7.0
         id: action
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -193,10 +196,10 @@ jobs:
     timeout-minutes: 30
     name: "Setup"
     runs-on: ubuntu-22.04
-    needs: [check-if-pr-is-approved, check-package-lock]
+    needs: [check-if-pr-is-approved, pre-checks]
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           fetch-depth: 0 # Fetch all history for all tags and branches
       - uses: ./.github/actions/setup
@@ -232,7 +235,7 @@ jobs:
             exclude: "insights,core,extensions,content-services,process-services,eslint-plugin-eslint-angular,js-api"
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           fetch-depth: 0 # Fetch all history for all tags and branches
       - uses: ./.github/actions/setup
@@ -249,7 +252,7 @@ jobs:
     needs: [setup]
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           fetch-depth: 0 # Fetch all history for all tags and branches
       - uses: ./.github/actions/setup
@@ -264,7 +267,7 @@ jobs:
     needs: [setup]
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           fetch-depth: 0 # Fetch all history for all tags and branches
       - uses: ./.github/actions/setup
@@ -281,7 +284,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           fetch-depth: 0 # Fetch all history for all
       - uses: ./.github/actions/setup
@@ -424,7 +427,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           fetch-depth: 0 # Fetch all history for all
       - uses: ./.github/actions/setup
@@ -454,12 +457,12 @@ jobs:
     steps:
       - id: checkoutRepo
         name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           fetch-depth: 1
       - name: PR contains forbidden labels
         id: pr-forbidden
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         with:
           script: |
             const issueHasLabels = require('./scripts/github/update/check-issue-has-label.js');
@@ -479,9 +482,9 @@ jobs:
     if: ${{ always() }}
     runs-on: ubuntu-latest
     name: Final Results
-    needs: [check-if-pr-is-approved, check-package-lock, setup, unit-tests, lint, build-libs, e2e, e2e-storybook]
+    needs: [check-if-pr-is-approved, pre-checks, setup, unit-tests, lint, build-libs, e2e, e2e-storybook]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Log e2e result
         id: e2e-result
         if: ${{ github.event_name == 'schedule' }}
@@ -495,7 +498,7 @@ jobs:
         uses: ./.github/actions/slack-group-area
         with:
           affected: ${{ steps.e2e-result.outputs.result }}
-      - uses: slackapi/[email protected]
+      - uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 # v1.23.0
         name: Nofify QA failure
         if: ${{ github.event_name == 'schedule' && contains(needs.*.result, 'failure') }}
         env:

.github/workflows/rebase.yml

@@ -9,10 +9,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout the latest code
-      uses: actions/checkout@v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       with:
         fetch-depth: 0
     - name: Automatic Rebase
-      uses: cirrus-actions/[email protected]
+      uses: cirrus-actions/rebase@b87d48154a87a85666003575337e27b8cd65f691 # 1.8
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}