[Security] Pin GitHub Actions to a full-length commit SHA

[juliendoutre]

Pin GitHub Actions to SHA hashes

This automated PR pins third-party GitHub Actions references from mutable tag versions (e.g., @v4) to their corresponding SHA hashes (e.g., @abc123...). The original tag is preserved as a comment for readability. Your workflows will work exactly the same way. Internal actions (under the DataDog organization) are not pinned.

Read https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions for more details and info on how to configure this for entire repos.

Why pin GitHub Actions?

Git tags are mutable: they can be moved to point to different commits at any time. A compromised or malicious action maintainer could update a tag to inject arbitrary code into your CI workflows (see the tj-actions incident). Pinning to SHA hashes ensures you always run the exact code you reviewed, protecting your repository from supply chain attacks such as the tj-actions incident.

What if something breaks?

If a pinned action doesn't work for your use case, you can push a commit directly to this branch to fix it. As a last resort, reach out to #sdlc-security on Slack.

Set up Dependabot or Renovate for automatic updates

Once actions are pinned to SHA hashes, you should configure Dependabot or Renovate to receive weekly update PRs when new versions are available.

In the case of Dependabot, create or update .github/dependabot.yml:

version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      github-actions:
        patterns:
          - "*"
    open-pull-requests-limit: 10

Dependabot will automatically propose PRs that update both the SHA hash and the version comment like in this example.

---

This PR was automatically generated by the GitHub Actions Pinning tool, owned by #sdlc-security.

[iksaif]

Can you resolve the conflicts ?

[iksaif]

Closing as superseded — actions are already pinned to newer versions in main.

[juliendoutre]

@iksaif I don't see the main branch actions being pinned by hash: https://github.com/DataDog/adipo/tree/main/.github/workflows
Should we reopen this PR?

[iksaif]

I pinned newer versions .. but using versions not hash ! (could we make dependabot just update the hashs and not the versions ?)

[juliendoutre]

Versions tags are mutable so less reliable than hashes. Dependabot automatically bumps the hash and the commented version tag next to it yes.

[iksaif]

ok pushing a commit to do this now

[juliendoutre]

ok pushing a commit to do this now

Thank you!