chore(ci): pin all 3rd party actions

.github/workflows/closed-issues-message.yml

@@ -6,7 +6,7 @@ jobs:
   auto_comment:
     runs-on: ubuntu-latest
     steps:
-      - uses: aws-actions/closed-issue-message@v1
+      - uses: aws-actions/closed-issue-message@36b7048ea77bb834d16e7a7c5b5471ac767a4ca1 # v1.0.0
         with:
           # These inputs are both required
           repo-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/dispatch_analytics.yml

@@ -29,7 +29,7 @@ jobs:
     environment: analytics
     steps:
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef
+        uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
         with:
           aws-region: eu-central-1
           role-to-assume: ${{ secrets.AWS_ANALYTICS_ROLE_ARN }}

.github/workflows/label_pr_on_title.yml

@@ -22,9 +22,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3.5.2
       - name: "Label PR based on title"
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         env:
           PR_NUMBER: ${{ needs.get_pr_details.outputs.prNumber }}
           PR_TITLE: ${{ needs.get_pr_details.outputs.prTitle }}

.github/workflows/make-release.yml

@@ -13,14 +13,14 @@ jobs:
       RELEASE_VERSION: ${{ steps.set-release-version.outputs.RELEASE_VERSION }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3.5.2
         with:
           # Here `token` is needed to avoid incurring in error GH006 Protected  Branch Update Failed,
           token: ${{ secrets.GH_PUBLISH_TOKEN }}
           # While `fetch-depth` is used to allow the workflow to later commit & push the changes.
           fetch-depth: 0
       - name: Setup NodeJS
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
         with:
           node-version: "18"
           cache: "npm"

.github/workflows/measure-packages-size.yml

@@ -18,16 +18,16 @@ jobs:
       # we need first to use the PR number to retrieve the PR SHA number. This means we need three steps to: checkout the repo,
       # run a custom script to get the SHA, and then finally checkout the PR branch
       - name: Checkout Repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3.5.2
       - name: Extract PR details
         id: extract_PR_details
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         with:
           script: |
             const script = require('.github/scripts/get_pr_info.js');
             await script({github, context, core});
       - name: Checkout PR code
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3.5.2
         with:
           ref: ${{ steps.extract_PR_details.outputs.headSHA }}
       - name: Packages size report

.github/workflows/on-merge-to-main.yml

@@ -26,7 +26,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3.5.2
       - name: Update release draft
         uses: release-drafter/release-drafter@569eb7ee3a85817ab916c8f8ff03a5bd96c9c83e # v5.23.0
         env:
@@ -35,9 +35,9 @@ jobs:
     needs: [get_pr_details, update-release-draft]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3.5.2
       - name: "Label PR related issue for release"
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         env:
           PR_NUMBER: ${{ needs.get_pr_details.outputs.prNumber }}
           PR_BODY: ${{ needs.get_pr_details.outputs.prBody }}

.github/workflows/on-workflows-push-pr.yml

@@ -14,20 +14,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3.5.2
       - name: Ensure 3rd party workflows have SHA pinned
-        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b9ddf6a5153efe6fb94f071c8915175afdce60fa # v2.1.0
-        with:
-          # Trusted GitHub Actions and/or organizations
-          allowlist: |
-            aws-actions/
-            actions/stale
-            actions/checkout
-            actions/github-script
-            actions/setup-node
-            actions/setup-python
-            actions/upload-artifact
-            actions/download-artifact
-            github/codeql-action/init
-            github/codeql-action/analyze
-            dependabot/fetch-metadata
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@21991cec25093947ff3f62e4c223df0260c39944 # v2.1.2

.github/workflows/on_opened_pr.yml

@@ -19,11 +19,11 @@ jobs:
     needs: get_pr_details
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3.5.2
       - name: "Debug workflow_run event"
         run: echo "${{ github }}"
       - name: "Ensure related issue is present"
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         env:
           PR_BODY: ${{ needs.get_pr_details.outputs.prBody }}
           PR_NUMBER: ${{ needs.get_pr_details.outputs.prNumber }}

.github/workflows/post-release.yml

@@ -23,9 +23,9 @@ jobs:
     env:
       RELEASE_VERSION: ${{ inputs.versionNumber }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3.5.2
       - name: Update issues related to release
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

.github/workflows/publish_layer.yml

@@ -33,11 +33,11 @@ jobs:
     if: ${{ (github.event.workflow_run.conclusion == 'success') || (github.event_name == 'workflow_dispatch') }}
     steps:
       - name: checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3.5.2
         with:
           fetch-depth: 0
       - name: Setup Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
         with:
           node-version: "18"
       - name: Set release notes tag
@@ -57,7 +57,7 @@ jobs:
       - name: Zip output
         run: zip -r cdk.out.zip layers/cdk.out
       - name: Archive CDK artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: cdk-layer-artifact
           path: cdk.out.zip

.github/workflows/record_pr.yml

@@ -9,14 +9,14 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3.5.2
       - name: "Extract PR details"
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         with:
           script: |
             const script = require('.github/scripts/save_pr_details.js')
             await script({github, context, core})
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: pr
           path: pr.txt

.github/workflows/reusable-publish-docs.yml

@@ -27,19 +27,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3.5.2
         with:
           # While `fetch-depth` is used to allow the workflow to later commit & push the changes.
           fetch-depth: 0
       - name: Setup NodeJS
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
         with:
           node-version: "18"
           cache: "npm"
       - name: Setup dependencies
         uses: ./.github/actions/cached-node-modules
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b # v4.6.0
         with:
           python-version: "3.8"
       - name: Install doc generation dependencies
@@ -81,7 +81,7 @@ jobs:
           destination_dir: ${{ env.VERSION }}/api
       - name: Release API docs to latest
         if: ${{ inputs.alias == 'latest' }}
-        uses: peaceiris/actions-gh-pages@bd8c6b06eba6b3d25d72b7a1767993c0aeee42e7
+        uses: peaceiris/actions-gh-pages@bd8c6b06eba6b3d25d72b7a1767993c0aeee42e7 # v3.9.2
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./api

.github/workflows/reusable-run-linting-check-and-unit-tests.yml

@@ -14,9 +14,9 @@ jobs:
       fail-fast: false
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3.5.2
       - name: Setup NodeJS
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
         with:
           node-version: ${{ matrix.version }}
           cache: "npm"
@@ -43,9 +43,9 @@ jobs:
         working-directory: examples/${{ matrix.example }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3.5.2
       - name: Setup NodeJS
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
         with:
           node-version: 18
           cache: "npm"
@@ -61,9 +61,9 @@ jobs:
       NODE_ENV: dev
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3.5.2
       - name: Setup NodeJS
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
         with:
           node-version: 18
           cache: "npm"
@@ -83,9 +83,9 @@ jobs:
       NODE_ENV: dev
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3.5.2
       - name: Setup NodeJS
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
         with:
           node-version: 18
           cache: "npm"

.github/workflows/reusable_deploy_layer_stack.yml

@@ -60,20 +60,20 @@ jobs:
           ]
     steps:
       - name: checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3.5.2
       - name: aws credentials
-        uses: aws-actions/configure-aws-credentials@186395a8644e48f35e7b453e8a7128d9a3948296
+        uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
         with:
           aws-region: ${{ matrix.region }}
           role-to-assume: ${{ secrets.target-account-role }}
       - name: Setup Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
         with:
           node-version: "18"
       - name: Setup dependencies
         uses: ./.github/actions/cached-node-modules
       - name: Download artifact
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: ${{ inputs.artifact-name }}
       - name: Unzip artifact
@@ -88,7 +88,7 @@ jobs:
           cat cdk-layer-stack/${{ matrix.region }}-layer-version.txt
       - name: Save Layer ARN artifact
         if: ${{ inputs.stage == 'PROD' }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: cdk-layer-stack
           path: ./cdk-layer-stack/* # NOTE: upload-artifact does not inherit working-directory setting.

.github/workflows/reusable_export_pr_details.yml

@@ -50,9 +50,9 @@ jobs:
       prIsMerged: ${{ steps.prIsMerged.outputs.prIsMerged }}
     steps:
       - name: Checkout repository # in case caller workflow doesn't checkout thus failing with file not found
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3.5.2
       - name: "Download previously saved PR"
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         env:
           WORKFLOW_ID: ${{ inputs.record_pr_workflow_id }}
         # For security, we only download artifacts tied to the successful PR recording workflow
@@ -68,19 +68,19 @@ jobs:
       # otherwise the parent caller won't see them regardless on how outputs are set.
       - name: "Export Pull Request Number"
         id: prNumber
-        run: echo "prNumber=$(jq -c '.number' ${FILENAME})" >> $GITHUB_OUTPUT
+        run: echo prNumber="$(jq -c '.number' "${FILENAME}")" >> "$GITHUB_OUTPUT"
       - name: "Export Pull Request Title"
         id: prTitle
-        run: echo "prTitle=$(jq -c '.pull_request.title' ${FILENAME})" >> $GITHUB_OUTPUT
+        run: echo prTitle="$(jq -c '.pull_request.title' "${FILENAME}")" >> "$GITHUB_OUTPUT"
       - name: "Export Pull Request Body"
         id: prBody
-        run: echo "prBody=$(jq -c '.pull_request.body' ${FILENAME})" >> $GITHUB_OUTPUT
+        run: echo prBody="$(jq -c '.pull_request.body' "${FILENAME}")" >> "$GITHUB_OUTPUT"
       - name: "Export Pull Request Author"
         id: prAuthor
-        run: echo "prAuthor=$(jq -c '.pull_request.user.login' ${FILENAME})" >> $GITHUB_OUTPUT
+        run: echo prAuthor="$(jq -c '.pull_request.user.login' "${FILENAME}")" >> "$GITHUB_OUTPUT"
       - name: "Export Pull Request Action"
         id: prAction
-        run: echo "prAction=$(jq -c '.action' ${FILENAME})" >> $GITHUB_OUTPUT
+        run: echo prAction="$(jq -c '.action' "${FILENAME}")" >> "$GITHUB_OUTPUT"
       - name: "Export Pull Request Merged status"
         id: prIsMerged
-        run: echo "prIsMerged=$(jq -c '.pull_request.merged' ${FILENAME})" >> $GITHUB_OUTPUT
+        run: echo prIsMerged="$(jq -c '.pull_request.merged' "${FILENAME}")" >> "$GITHUB_OUTPUT"

.github/workflows/reusable_update_layer_arn_docs.yml

@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository # reusable workflows start clean, so we need to checkout again
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3.5.2
         with:
           fetch-depth: 0
       - name: Git client setup and refresh tip
@@ -34,7 +34,7 @@ jobs:
           git config remote.origin.url >&- || git remote add origin https://github.com/"${origin}" # Git Detached mode (release notes) doesn't have origin
           git pull origin "${BRANCH}"
       - name: Download CDK layer artifact
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: cdk-layer-stack
           path: cdk-layer-stack/